Auto-Generated Documentation
This set of documentation is automatically generated from source, and will help ensure any change to functionality will always be documented and available on release.
Hit¶
Howler Outline schema which is an extended version of Elastic Common Schema (ECS)
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| timestamp | Date | Date/time when the event originated. Reference Link |
Yes | NOW |
| labels | Mapping [Keyword] | Custom key/value pairs. Reference Link |
Yes | {} |
| tags | List [Keyword] | List of keywords used to tag each event. Reference Link |
Yes | [] |
| howler | HowlerData | Howler specific definition of the hit that matches the outline. Reference Link |
Yes | None |
| assemblyline | AssemblyLine | AssemblyLine metadata associated with this alert. | Optional | None |
| agent | Agent | The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Reference Link |
Optional | None |
| aws | AWS | Fields related to AWS. | Optional | None |
| azure | Azure | Fields related to Azure. | Optional | None |
| cbs | CBS | CBS metadata associated with this alert. | Optional | None |
| cloud | Cloud | Fields related to the cloud or infrastructure the events are coming from. Reference Link |
Optional | None |
| container | Container | Container fields are used for meta information about the specific container that is the source of information. Reference Link |
Optional | None |
| destination | Client | Destination fields capture details about the receiver of a network exchange/packet. Reference Link |
Optional | None |
| dns | DNS | Fields describing DNS queries and answers. Reference Link |
Optional | None |
| ecs | ECSVersion | Meta-information specific to ECS. Reference Link |
Yes | See ECSVersion for more details. |
| error | Error | These fields can represent errors of any kind. Reference Link |
Optional | None |
| event | Event | The event fields are used for context information about the log or metric event itself. | Optional | None |
| Event details relating to an email transaction. Reference Link |
Optional | None |
||
| faas | FAAS | The user fields describe information about the function as a service (FaaS) that is relevant to the event. Reference Link |
Optional | None |
| file | File | A file is defined as a set of information that has been created on, or has existed on a filesystem. Reference Link |
Optional | None |
| gcp | GCP | Fields related to Google Cloud Platform. | Optional | None |
| group | Group | The group fields are meant to represent groups that are relevant to the event. Reference Link |
Optional | None |
| host | Host | A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. Reference Link |
Optional | None |
| http | HTTP | Fields related to HTTP activity. Use the url field set to store the url of the request. Reference Link |
Optional | None |
| organization | Organization | The organization fields enrich data with information about the company or entity the data is associated with. Reference Link |
Optional | None |
| process | Process | These fields contain information about a process. Reference Link |
Optional | None |
| registry | Registry | Fields related to Windows Registry operations. Reference Link |
Optional | None |
| related | Related | Fields related to Windows Registry operations. Reference Link |
Optional | None |
| server | Server | A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. Reference Link |
Optional | None |
| source | Client | Source fields capture details about the sender of a network exchange/packet. Reference Link |
Optional | None |
| threat | Threat | Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. Reference Link |
Optional | None |
| tls | TLS | Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. Reference Link |
Optional | None |
| url | URL | URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. Reference Link |
Optional | None |
| user | User | The user fields describe information about the user that is relevant to the event. Reference Link |
Optional | None |
| user_agent | UserAgent | The user_agent fields normally come from a browser request. Reference Link |
Optional | None |
| vulnerability | Vulnerability | The vulnerability fields describe information about a vulnerability that is relevant to an event. Reference Link |
Optional | None |