From f8ff80a08e7f0776f8e31b75457e3c7fcf6e9b76 Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Mon, 23 Sep 2024 17:57:28 +0200 Subject: [PATCH 1/8] Reproduce #402 --- .../Repro/GithubIssue402.cs | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs diff --git a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs new file mode 100644 index 00000000..3004213c --- /dev/null +++ b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs @@ -0,0 +1,35 @@ +using System.Linq; +using FluentAssertions; +using Serilog.Context; +using Xunit; +using Xunit.Abstractions; + +namespace Elastic.CommonSchema.Serilog.Tests.Repro; + +public class GithubIssue402 : LogTestsBase +{ + public GithubIssue402(ITestOutputHelper output) : base(output) { } + + [Fact] + public void Reproduce() => TestLogger((logger, getLogEvents) => + { + using (LogContext.PushProperty("client.user.id", "regis")) + logger.Information("Logging something with log context"); + + var logEvents = getLogEvents(); + logEvents.Should().HaveCount(1); + + var ecsEvents = ToEcsEvents(logEvents); + + var (_, info) = ecsEvents.First(); + info.Message.Should().Be("Logging something with log context"); + + info.Client.User.Id.Should().Be("regis"); + //info.Labels.Should().NotBeNull().And.ContainKey("client.user.id"); + //info.Labels["ShipmentId"].Should().Be("my-shipment-id"); + + //info.Metadata.Should().NotBeNull().And.ContainKey("ShipmentAmount"); + //info.Metadata["ShipmentAmount"].Should().Be(2.3); + + }); +} From 887271ace13532d8e745412e50b8e513767fad1c Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Tue, 24 Sep 2024 11:49:52 +0200 Subject: [PATCH 2/8] generate assignable interfaces for entity proeprties --- .../AssignableInterfaces.Generated.cs | 271 ++++++++++++++++++ .../Entities.Generated.cs | 132 ++++----- .../FieldSets.Generated.cs | 34 +-- .../LogTemplateProperties.Generated.cs | 34 +-- .../Serialization/EcsJsonContext.Generated.cs | 6 +- .../Repro/GithubIssue402.cs | 2 + .../FileGenerator.cs | 1 + .../Projection/TypeProjector.cs | 40 ++- .../Projection/Types.cs | 61 ++-- .../AssignableInterfaces.Generated.cshtml | 41 +++ .../Views/Entities.Generated.cshtml | 4 +- 11 files changed, 491 insertions(+), 135 deletions(-) create mode 100644 src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs create mode 100644 tools/Elastic.CommonSchema.Generator/Views/AssignableInterfaces.Generated.cshtml diff --git a/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs b/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs new file mode 100644 index 00000000..5bad139a --- /dev/null +++ b/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs @@ -0,0 +1,271 @@ +// Licensed to Elasticsearch B.V under one or more agreements. +// Elasticsearch B.V licenses this file to you under the Apache 2.0 License. +// See the LICENSE file in the project root for more information + +/* +IMPORTANT NOTE +============== +This file has been generated. +If you wish to submit a PR please modify the original csharp file and submit the PR with that change. Thanks! +*/ + +// ReSharper disable RedundantUsingDirective +using System; +using System.Collections.Generic; +using System.Threading; +using System.Threading.Tasks; +using System.Linq; +using System.Net; +using System.Runtime.Serialization; +using System.Text.Json.Serialization; + +#nullable enable +namespace Elastic.CommonSchema +{ + + /// Interface for entities that can assign an IAs: Client, Destination, Server, Source + public interface IAs { + ///as + public As? As { get; set; } + } + + /// Interface for entities that can assign an IGeo: Client, Destination, Host, Observer, Server, Source + public interface IGeo { + ///geo + public Geo? Geo { get; set; } + } + + /// Interface for entities that can assign an IUser: Client, Destination, Process, Server, Source + public interface IUser { + ///user + public User? User { get; set; } + } + + /// Interface for entities that can assign an ICloudOrigin: Cloud + public interface ICloudOrigin { + ///origin + public CloudOrigin? Origin { get; set; } + } + + /// Interface for entities that can assign an ICloudTarget: Cloud + public interface ICloudTarget { + ///target + public CloudTarget? Target { get; set; } + } + + /// Interface for entities that can assign an IHash: Dll, File, Process + public interface IHash { + ///hash + public Hash? Hash { get; set; } + } + + /// Interface for entities that can assign an IPe: Dll, File, Process + public interface IPe { + ///pe + public Pe? Pe { get; set; } + } + + /// Interface for entities that can assign an ICodeSignature: Dll, File, Process + public interface ICodeSignature { + ///code_signature + public CodeSignature? CodeSignature { get; set; } + } + + /// Interface for entities that can assign an IX509: File + public interface IX509 { + ///x509 + public X509? X509 { get; set; } + } + + /// Interface for entities that can assign an IElf: File, Process + public interface IElf { + ///elf + public Elf? Elf { get; set; } + } + + /// Interface for entities that can assign an IMacho: File, Process + public interface IMacho { + ///macho + public Macho? Macho { get; set; } + } + + /// Interface for entities that can assign an IOs: Host, Observer, UserAgent + public interface IOs { + ///os + public Os? Os { get; set; } + } + + /// Interface for entities that can assign an IRisk: Host, User + public interface IRisk { + ///risk + public Risk? Risk { get; set; } + } + + /// Interface for entities that can assign an IVlan: Network + public interface IVlan { + ///vlan + public Vlan? Vlan { get; set; } + } + + /// Interface for entities that can assign an IGroup: Process, User + public interface IGroup { + ///group + public Group? Group { get; set; } + } + + /// Interface for entities that can assign an IRealGroup: Process + public interface IRealGroup { + ///real_group + public Group? RealGroup { get; set; } + } + + /// Interface for entities that can assign an ISavedGroup: Process + public interface ISavedGroup { + ///saved_group + public Group? SavedGroup { get; set; } + } + + /// Interface for entities that can assign an ISupplementalGroups: Process + public interface ISupplementalGroups { + ///supplemental_groups + public Group[]? SupplementalGroups { get; set; } + } + + /// Interface for entities that can assign an IAttestedGroups: Process + public interface IAttestedGroups { + ///attested_groups + public Group[]? AttestedGroups { get; set; } + } + + /// Interface for entities that can assign an IEntryMetaSource: Process + public interface IEntryMetaSource { + ///entry_meta.source + public Source? EntryMetaSource { get; set; } + } + + /// Interface for entities that can assign an ISavedUser: Process + public interface ISavedUser { + ///saved_user + public User? SavedUser { get; set; } + } + + /// Interface for entities that can assign an IRealUser: Process + public interface IRealUser { + ///real_user + public User? RealUser { get; set; } + } + + /// Interface for entities that can assign an IAttestedUser: Process + public interface IAttestedUser { + ///attested_user + public User? AttestedUser { get; set; } + } + + /// Interface for entities that can assign an IProcessParent: Process + public interface IProcessParent { + ///parent + public ProcessParent? Parent { get; set; } + } + + /// Interface for entities that can assign an IProcessEntryLeader: Process + public interface IProcessEntryLeader { + ///entry_leader + public ProcessEntryLeader? EntryLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessSessionLeader: Process + public interface IProcessSessionLeader { + ///session_leader + public ProcessSessionLeader? SessionLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessGroupLeader: Process + public interface IProcessGroupLeader { + ///group_leader + public ProcessGroupLeader? GroupLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessPrevious: Process + public interface IProcessPrevious { + ///previous + public ProcessPrevious[]? Previous { get; set; } + } + + /// Interface for entities that can assign an IServiceOrigin: Service + public interface IServiceOrigin { + ///origin + public ServiceOrigin? Origin { get; set; } + } + + /// Interface for entities that can assign an IServiceTarget: Service + public interface IServiceTarget { + ///target + public ServiceTarget? Target { get; set; } + } + + /// Interface for entities that can assign an IIndicatorX509: Threat + public interface IIndicatorX509 { + ///indicator.x509 + public X509? IndicatorX509 { get; set; } + } + + /// Interface for entities that can assign an IIndicatorAs: Threat + public interface IIndicatorAs { + ///indicator.as + public As? IndicatorAs { get; set; } + } + + /// Interface for entities that can assign an IIndicatorFile: Threat + public interface IIndicatorFile { + ///indicator.file + public File? IndicatorFile { get; set; } + } + + /// Interface for entities that can assign an IIndicatorGeo: Threat + public interface IIndicatorGeo { + ///indicator.geo + public Geo? IndicatorGeo { get; set; } + } + + /// Interface for entities that can assign an IIndicatorRegistry: Threat + public interface IIndicatorRegistry { + ///indicator.registry + public Registry? IndicatorRegistry { get; set; } + } + + /// Interface for entities that can assign an IIndicatorUrl: Threat + public interface IIndicatorUrl { + ///indicator.url + public Url? IndicatorUrl { get; set; } + } + + /// Interface for entities that can assign an IClientX509: Tls + public interface IClientX509 { + ///client.x509 + public X509? ClientX509 { get; set; } + } + + /// Interface for entities that can assign an IServerX509: Tls + public interface IServerX509 { + ///server.x509 + public X509? ServerX509 { get; set; } + } + + /// Interface for entities that can assign an IUserTarget: User + public interface IUserTarget { + ///target + public UserTarget? Target { get; set; } + } + + /// Interface for entities that can assign an IUserEffective: User + public interface IUserEffective { + ///effective + public UserEffective? Effective { get; set; } + } + + /// Interface for entities that can assign an IUserChanges: User + public interface IUserChanges { + ///changes + public UserChanges? Changes { get; set; } + } +} diff --git a/src/Elastic.CommonSchema/Entities.Generated.cs b/src/Elastic.CommonSchema/Entities.Generated.cs index 93398c92..99d8648d 100644 --- a/src/Elastic.CommonSchema/Entities.Generated.cs +++ b/src/Elastic.CommonSchema/Entities.Generated.cs @@ -24,15 +24,15 @@ namespace Elastic.CommonSchema { /// - public class CloudOrigin : CloudFieldSet { + public class CloudOrigin : CloudFieldSet { } /// - public class CloudTarget : CloudFieldSet { + public class CloudTarget : CloudFieldSet { } /// - public class ProcessParent : ProcessFieldSet { + public class ProcessParent : ProcessFieldSet { /// /// process.parent.group_leader @@ -43,7 +43,7 @@ public class ProcessParent : ProcessFieldSet { } /// - public class ProcessEntryLeader : ProcessFieldSet { + public class ProcessEntryLeader : ProcessFieldSet { /// /// process.entry_leader.parent @@ -54,7 +54,7 @@ public class ProcessEntryLeader : ProcessFieldSet { } /// - public class ProcessSessionLeader : ProcessFieldSet { + public class ProcessSessionLeader : ProcessFieldSet { /// /// process.session_leader.parent @@ -65,15 +65,15 @@ public class ProcessSessionLeader : ProcessFieldSet { } /// - public class ProcessGroupLeader : ProcessFieldSet { + public class ProcessGroupLeader : ProcessFieldSet { } /// - public class ProcessParentGroupLeader : ProcessFieldSet { + public class ProcessParentGroupLeader : ProcessFieldSet { } /// - public class ProcessEntryLeaderParent : ProcessFieldSet { + public class ProcessEntryLeaderParent : ProcessFieldSet { /// /// process.entry_leader.parent.session_leader @@ -84,7 +84,7 @@ public class ProcessEntryLeaderParent : ProcessFieldSet { } /// - public class ProcessSessionLeaderParent : ProcessFieldSet { + public class ProcessSessionLeaderParent : ProcessFieldSet { /// /// process.session_leader.parent.session_leader @@ -95,47 +95,47 @@ public class ProcessSessionLeaderParent : ProcessFieldSet { } /// - public class ProcessEntryLeaderParentSessionLeader : ProcessFieldSet { + public class ProcessEntryLeaderParentSessionLeader : ProcessFieldSet { } /// - public class ProcessSessionLeaderParentSessionLeader : ProcessFieldSet { + public class ProcessSessionLeaderParentSessionLeader : ProcessFieldSet { } /// - public class ProcessPrevious : ProcessFieldSet { + public class ProcessPrevious : ProcessFieldSet { } /// - public class ServiceOrigin : ServiceFieldSet { + public class ServiceOrigin : ServiceFieldSet { } /// - public class ServiceTarget : ServiceFieldSet { + public class ServiceTarget : ServiceFieldSet { } /// - public class UserTarget : UserFieldSet { + public class UserTarget : UserFieldSet { } /// - public class UserEffective : UserFieldSet { + public class UserEffective : UserFieldSet { } /// - public class UserChanges : UserFieldSet { + public class UserChanges : UserFieldSet { } /// - public class Agent : AgentFieldSet { + public class Agent : AgentFieldSet { } /// - public class As : AsFieldSet { + public class As : AsFieldSet { } /// - public class Client : ClientFieldSet { + public class Client : ClientFieldSet , IAs, IGeo, IUser { /// /// client.as @@ -160,7 +160,7 @@ public class Client : ClientFieldSet { } /// - public class Cloud : CloudFieldSet { + public class Cloud : CloudFieldSet , ICloudOrigin, ICloudTarget { /// /// cloud.origin @@ -178,19 +178,19 @@ public class Cloud : CloudFieldSet { } /// - public class CodeSignature : CodeSignatureFieldSet { + public class CodeSignature : CodeSignatureFieldSet { } /// - public class Container : ContainerFieldSet { + public class Container : ContainerFieldSet { } /// - public class DataStream : DataStreamFieldSet { + public class DataStream : DataStreamFieldSet { } /// - public class Destination : DestinationFieldSet { + public class Destination : DestinationFieldSet , IAs, IGeo, IUser { /// /// destination.as @@ -215,11 +215,11 @@ public class Destination : DestinationFieldSet { } /// - public class Device : DeviceFieldSet { + public class Device : DeviceFieldSet { } /// - public class Dll : DllFieldSet { + public class Dll : DllFieldSet , IHash, IPe, ICodeSignature { /// /// dll.hash @@ -244,35 +244,35 @@ public class Dll : DllFieldSet { } /// - public class Dns : DnsFieldSet { + public class Dns : DnsFieldSet { } /// - public partial class Ecs : EcsFieldSet { + public partial class Ecs : EcsFieldSet { } /// - public class Elf : ElfFieldSet { + public class Elf : ElfFieldSet { } /// - public class Email : EmailFieldSet { + public class Email : EmailFieldSet { } /// - public class Error : ErrorFieldSet { + public class Error : ErrorFieldSet { } /// - public class Event : EventFieldSet { + public class Event : EventFieldSet { } /// - public class Faas : FaasFieldSet { + public class Faas : FaasFieldSet { } /// - public class File : FileFieldSet { + public class File : FileFieldSet , IHash, IPe, ICodeSignature, IX509, IElf, IMacho { /// /// file.hash @@ -318,19 +318,19 @@ public class File : FileFieldSet { } /// - public class Geo : GeoFieldSet { + public class Geo : GeoFieldSet { } /// - public class Group : GroupFieldSet { + public class Group : GroupFieldSet { } /// - public class Hash : HashFieldSet { + public class Hash : HashFieldSet { } /// - public class Host : HostFieldSet { + public class Host : HostFieldSet , IGeo, IOs, IRisk { /// /// host.geo @@ -355,23 +355,23 @@ public class Host : HostFieldSet { } /// - public class Http : HttpFieldSet { + public class Http : HttpFieldSet { } /// - public class Interface : InterfaceFieldSet { + public class Interface : InterfaceFieldSet { } /// - public partial class Log : LogFieldSet { + public partial class Log : LogFieldSet { } /// - public class Macho : MachoFieldSet { + public class Macho : MachoFieldSet { } /// - public class Network : NetworkFieldSet { + public class Network : NetworkFieldSet , IVlan { /// /// network.vlan @@ -382,7 +382,7 @@ public class Network : NetworkFieldSet { } /// - public class Observer : ObserverFieldSet { + public class Observer : ObserverFieldSet , IGeo, IOs { /// /// observer.geo @@ -400,27 +400,27 @@ public class Observer : ObserverFieldSet { } /// - public class Orchestrator : OrchestratorFieldSet { + public class Orchestrator : OrchestratorFieldSet { } /// - public class Organization : OrganizationFieldSet { + public class Organization : OrganizationFieldSet { } /// - public class Os : OsFieldSet { + public class Os : OsFieldSet { } /// - public class Package : PackageFieldSet { + public class Package : PackageFieldSet { } /// - public class Pe : PeFieldSet { + public class Pe : PeFieldSet { } /// - public class Process : ProcessFieldSet { + public class Process : ProcessFieldSet , IUser, IHash, IPe, ICodeSignature, IElf, IMacho, IGroup, IRealGroup, ISavedGroup, ISupplementalGroups, IAttestedGroups, IEntryMetaSource, ISavedUser, IRealUser, IAttestedUser, IProcessParent, IProcessEntryLeader, IProcessSessionLeader, IProcessGroupLeader, IProcessPrevious { /// /// process.group @@ -564,23 +564,23 @@ public class Process : ProcessFieldSet { } /// - public class Registry : RegistryFieldSet { + public class Registry : RegistryFieldSet { } /// - public class Related : RelatedFieldSet { + public class Related : RelatedFieldSet { } /// - public class Risk : RiskFieldSet { + public class Risk : RiskFieldSet { } /// - public class Rule : RuleFieldSet { + public class Rule : RuleFieldSet { } /// - public class Server : ServerFieldSet { + public class Server : ServerFieldSet , IAs, IGeo, IUser { /// /// server.as @@ -605,7 +605,7 @@ public class Server : ServerFieldSet { } /// - public class Service : ServiceFieldSet { + public class Service : ServiceFieldSet , IServiceOrigin, IServiceTarget { /// /// service.origin @@ -623,7 +623,7 @@ public class Service : ServiceFieldSet { } /// - public class Source : SourceFieldSet { + public class Source : SourceFieldSet , IAs, IGeo, IUser { /// /// source.as @@ -648,7 +648,7 @@ public class Source : SourceFieldSet { } /// - public class Threat : ThreatFieldSet { + public class Threat : ThreatFieldSet , IIndicatorX509, IIndicatorAs, IIndicatorFile, IIndicatorGeo, IIndicatorRegistry, IIndicatorUrl { /// /// threat.indicator.x509 @@ -694,7 +694,7 @@ public class Threat : ThreatFieldSet { } /// - public class Tls : TlsFieldSet { + public class Tls : TlsFieldSet , IClientX509, IServerX509 { /// /// tls.client.x509 @@ -712,11 +712,11 @@ public class Tls : TlsFieldSet { } /// - public class Url : UrlFieldSet { + public class Url : UrlFieldSet { } /// - public class User : UserFieldSet { + public class User : UserFieldSet , IRisk, IGroup, IUserTarget, IUserEffective, IUserChanges { /// /// user.group @@ -755,7 +755,7 @@ public class User : UserFieldSet { } /// - public class UserAgent : UserAgentFieldSet { + public class UserAgent : UserAgentFieldSet , IOs { /// /// user_agent.os @@ -766,14 +766,14 @@ public class UserAgent : UserAgentFieldSet { } /// - public class Vlan : VlanFieldSet { + public class Vlan : VlanFieldSet { } /// - public class Vulnerability : VulnerabilityFieldSet { + public class Vulnerability : VulnerabilityFieldSet { } /// - public class X509 : X509FieldSet { + public class X509 : X509FieldSet { } } diff --git a/src/Elastic.CommonSchema/FieldSets.Generated.cs b/src/Elastic.CommonSchema/FieldSets.Generated.cs index 36f5ef91..4b0fce6a 100644 --- a/src/Elastic.CommonSchema/FieldSets.Generated.cs +++ b/src/Elastic.CommonSchema/FieldSets.Generated.cs @@ -116,7 +116,7 @@ public abstract class BaseFieldSet { /// If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. /// Required field for all events. ///
This is a required field - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// [JsonPropertyName("@timestamp"), DataMember(Name = "@timestamp")] public DateTimeOffset? Timestamp { get; set; } @@ -448,7 +448,7 @@ public abstract class CodeSignatureFieldSet { /// /// code_signature.timestamp /// Date and time when the code signature was generated and signed. - /// 1/1/2021 12:10:30PM + /// 1/1/2021 12:10:30 PM /// [JsonPropertyName("timestamp"), DataMember(Name = "timestamp")] public DateTimeOffset? Timestamp { get; set; } @@ -1201,7 +1201,7 @@ public abstract class EmailFieldSet { /// /// email.delivery_timestamp /// The date and time when the email message was received by the service or client. - /// 11/10/2020 10:12:34PM + /// 11/10/2020 10:12:34 PM /// [JsonPropertyName("delivery_timestamp"), DataMember(Name = "delivery_timestamp")] public DateTimeOffset? DeliveryTimestamp { get; set; } @@ -1242,7 +1242,7 @@ public abstract class EmailFieldSet { /// /// email.origination_timestamp /// The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. - /// 11/10/2020 10:12:34PM + /// 11/10/2020 10:12:34 PM /// [JsonPropertyName("origination_timestamp"), DataMember(Name = "origination_timestamp")] public DateTimeOffset? OriginationTimestamp { get; set; } @@ -1425,7 +1425,7 @@ public abstract class EventFieldSet { /// This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. /// In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. /// In case the two timestamps are identical, `@timestamp` should be used. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// [JsonPropertyName("created"), DataMember(Name = "created")] public DateTimeOffset? Created { get; set; } @@ -1478,7 +1478,7 @@ public abstract class EventFieldSet { /// Timestamp when an event arrived in the central data store. /// This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. /// In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - /// 5/23/2016 8:05:35AM + /// 5/23/2016 8:05:35 AM /// [JsonPropertyName("ingested"), DataMember(Name = "ingested")] public DateTimeOffset? Ingested { get; set; } @@ -3343,7 +3343,7 @@ public abstract class ProcessFieldSet { /// /// process.end /// The time the process ended. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// [JsonPropertyName("end"), DataMember(Name = "end")] public DateTimeOffset? End { get; set; } @@ -3424,7 +3424,7 @@ public abstract class ProcessFieldSet { /// /// process.start /// The time the process started. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// [JsonPropertyName("start"), DataMember(Name = "start")] public DateTimeOffset? Start { get; set; } @@ -4215,7 +4215,7 @@ public abstract class ThreatFieldSet { /// /// threat.indicator.first_seen /// The date and time when intelligence source first reported sighting this indicator. - /// 11/5/2020 5:25:47PM + /// 11/5/2020 5:25:47 PM /// [JsonPropertyName("indicator.first_seen"), DataMember(Name = "indicator.first_seen")] public DateTimeOffset? IndicatorFirstSeen { get; set; } @@ -4231,7 +4231,7 @@ public abstract class ThreatFieldSet { /// /// threat.indicator.last_seen /// The date and time when intelligence source last reported sighting this indicator. - /// 11/5/2020 5:25:47PM + /// 11/5/2020 5:25:47 PM /// [JsonPropertyName("indicator.last_seen"), DataMember(Name = "indicator.last_seen")] public DateTimeOffset? IndicatorLastSeen { get; set; } @@ -4264,7 +4264,7 @@ public abstract class ThreatFieldSet { /// /// threat.indicator.modified_at /// The date and time when intelligence source last modified information for this indicator. - /// 11/5/2020 5:25:47PM + /// 11/5/2020 5:25:47 PM /// [JsonPropertyName("indicator.modified_at"), DataMember(Name = "indicator.modified_at")] public DateTimeOffset? IndicatorModifiedAt { get; set; } @@ -4571,7 +4571,7 @@ public abstract class TlsFieldSet { /// /// tls.client.not_after /// Date/Time indicating when client certificate is no longer considered valid. - /// 1/1/2021 12:00:00AM + /// 1/1/2021 12:00:00 AM /// [JsonPropertyName("client.not_after"), DataMember(Name = "client.not_after")] public DateTimeOffset? ClientNotAfter { get; set; } @@ -4579,7 +4579,7 @@ public abstract class TlsFieldSet { /// /// tls.client.not_before /// Date/Time indicating when client certificate is first considered valid. - /// 1/1/1970 12:00:00AM + /// 1/1/1970 12:00:00 AM /// [JsonPropertyName("client.not_before"), DataMember(Name = "client.not_before")] public DateTimeOffset? ClientNotBefore { get; set; } @@ -4699,7 +4699,7 @@ public abstract class TlsFieldSet { /// /// tls.server.not_after /// Timestamp indicating when server certificate is no longer considered valid. - /// 1/1/2021 12:00:00AM + /// 1/1/2021 12:00:00 AM /// [JsonPropertyName("server.not_after"), DataMember(Name = "server.not_after")] public DateTimeOffset? ServerNotAfter { get; set; } @@ -4707,7 +4707,7 @@ public abstract class TlsFieldSet { /// /// tls.server.not_before /// Timestamp indicating when server certificate is first considered valid. - /// 1/1/1970 12:00:00AM + /// 1/1/1970 12:00:00 AM /// [JsonPropertyName("server.not_before"), DataMember(Name = "server.not_before")] public DateTimeOffset? ServerNotBefore { get; set; } @@ -5180,7 +5180,7 @@ public abstract class X509FieldSet { /// /// x509.not_after /// Time at which the certificate is no longer considered valid. - /// 7/16/2020 3:15:39AM + /// 7/16/2020 3:15:39 AM /// [JsonPropertyName("not_after"), DataMember(Name = "not_after")] public DateTimeOffset? NotAfter { get; set; } @@ -5188,7 +5188,7 @@ public abstract class X509FieldSet { /// /// x509.not_before /// Time at which the certificate is first considered valid. - /// 8/16/2019 1:40:25AM + /// 8/16/2019 1:40:25 AM /// [JsonPropertyName("not_before"), DataMember(Name = "not_before")] public DateTimeOffset? NotBefore { get; set; } diff --git a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs index 43428c8e..d1fa93a0 100644 --- a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs +++ b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs @@ -33,7 +33,7 @@ public static class LogTemplateProperties /// If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. /// Required field for all events. ///
This is a required field - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// public static string Timestamp = nameof(Timestamp); /// @@ -314,7 +314,7 @@ public static class LogTemplateProperties /// /// code_signature.timestamp /// Date and time when the code signature was generated and signed. - /// 1/1/2021 12:10:30PM + /// 1/1/2021 12:10:30 PM /// public static string CodeSignatureTimestamp = nameof(CodeSignatureTimestamp); /// @@ -758,7 +758,7 @@ public static class LogTemplateProperties /// /// email.delivery_timestamp /// The date and time when the email message was received by the service or client. - /// 11/10/2020 10:12:34PM + /// 11/10/2020 10:12:34 PM /// public static string EmailDeliveryTimestamp = nameof(EmailDeliveryTimestamp); /// @@ -783,7 +783,7 @@ public static class LogTemplateProperties /// /// email.origination_timestamp /// The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. - /// 11/10/2020 10:12:34PM + /// 11/10/2020 10:12:34 PM /// public static string EmailOriginationTimestamp = nameof(EmailOriginationTimestamp); /// @@ -867,7 +867,7 @@ public static class LogTemplateProperties /// This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. /// In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. /// In case the two timestamps are identical, `@timestamp` should be used. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// public static string EventCreated = nameof(EventCreated); /// @@ -908,7 +908,7 @@ public static class LogTemplateProperties /// Timestamp when an event arrived in the central data store. /// This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. /// In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - /// 5/23/2016 8:05:35AM + /// 5/23/2016 8:05:35 AM /// public static string EventIngested = nameof(EventIngested); /// @@ -2121,7 +2121,7 @@ public static class LogTemplateProperties /// /// process.end /// The time the process ended. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// public static string ProcessEnd = nameof(ProcessEnd); /// @@ -2176,7 +2176,7 @@ public static class LogTemplateProperties /// /// process.start /// The time the process started. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// public static string ProcessStart = nameof(ProcessStart); /// @@ -2667,7 +2667,7 @@ public static class LogTemplateProperties /// /// threat.indicator.first_seen /// The date and time when intelligence source first reported sighting this indicator. - /// 11/5/2020 5:25:47PM + /// 11/5/2020 5:25:47 PM /// public static string ThreatIndicatorFirstSeen = nameof(ThreatIndicatorFirstSeen); /// @@ -2679,7 +2679,7 @@ public static class LogTemplateProperties /// /// threat.indicator.last_seen /// The date and time when intelligence source last reported sighting this indicator. - /// 11/5/2020 5:25:47PM + /// 11/5/2020 5:25:47 PM /// public static string ThreatIndicatorLastSeen = nameof(ThreatIndicatorLastSeen); /// @@ -2706,7 +2706,7 @@ public static class LogTemplateProperties /// /// threat.indicator.modified_at /// The date and time when intelligence source last modified information for this indicator. - /// 11/5/2020 5:25:47PM + /// 11/5/2020 5:25:47 PM /// public static string ThreatIndicatorModifiedAt = nameof(ThreatIndicatorModifiedAt); /// @@ -2850,13 +2850,13 @@ public static class LogTemplateProperties /// /// tls.client.not_after /// Date/Time indicating when client certificate is no longer considered valid. - /// 1/1/2021 12:00:00AM + /// 1/1/2021 12:00:00 AM /// public static string TlsClientNotAfter = nameof(TlsClientNotAfter); /// /// tls.client.not_before /// Date/Time indicating when client certificate is first considered valid. - /// 1/1/1970 12:00:00AM + /// 1/1/1970 12:00:00 AM /// public static string TlsClientNotBefore = nameof(TlsClientNotBefore); /// @@ -2934,13 +2934,13 @@ public static class LogTemplateProperties /// /// tls.server.not_after /// Timestamp indicating when server certificate is no longer considered valid. - /// 1/1/2021 12:00:00AM + /// 1/1/2021 12:00:00 AM /// public static string TlsServerNotAfter = nameof(TlsServerNotAfter); /// /// tls.server.not_before /// Timestamp indicating when server certificate is first considered valid. - /// 1/1/1970 12:00:00AM + /// 1/1/1970 12:00:00 AM /// public static string TlsServerNotBefore = nameof(TlsServerNotBefore); /// @@ -3218,13 +3218,13 @@ public static class LogTemplateProperties /// /// x509.not_after /// Time at which the certificate is no longer considered valid. - /// 7/16/2020 3:15:39AM + /// 7/16/2020 3:15:39 AM /// public static string X509NotAfter = nameof(X509NotAfter); /// /// x509.not_before /// Time at which the certificate is first considered valid. - /// 8/16/2019 1:40:25AM + /// 8/16/2019 1:40:25 AM /// public static string X509NotBefore = nameof(X509NotBefore); /// diff --git a/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs b/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs index b954e29c..8629bf80 100644 --- a/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs +++ b/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs @@ -6,7 +6,7 @@ /* IMPORTANT NOTE ============== -This file has been generated. +This file has been generated. If you wish to submit a PR please modify the original csharp file and submit the PR with that change. Thanks! */ @@ -63,7 +63,5 @@ namespace Elastic.CommonSchema.Serialization; [JsonSerializable(typeof(Vlan))] [JsonSerializable(typeof(Vulnerability))] [JsonSerializable(typeof(X509))] -[JsonSerializable(typeof(LogEntityJsonConverter.LogOriginInvalid))] -[JsonSerializable(typeof(LogEntityJsonConverter.LogFileOriginInvalid))] [JsonSourceGenerationOptions(DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull)] -internal partial class EcsJsonContext : JsonSerializerContext { } +internal partial class EcsJsonContext : JsonSerializerContext { } \ No newline at end of file diff --git a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs index 3004213c..cb24757f 100644 --- a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs +++ b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs @@ -24,6 +24,8 @@ public void Reproduce() => TestLogger((logger, getLogEvents) => var (_, info) = ecsEvents.First(); info.Message.Should().Be("Logging something with log context"); + info.Client.Should().NotBeNull(); + info.Client.User.Id.Should().Be("regis"); //info.Labels.Should().NotBeNull().And.ContainKey("client.user.id"); //info.Labels["ShipmentId"].Should().Be("my-shipment-id"); diff --git a/tools/Elastic.CommonSchema.Generator/FileGenerator.cs b/tools/Elastic.CommonSchema.Generator/FileGenerator.cs index 26339576..b82e0460 100644 --- a/tools/Elastic.CommonSchema.Generator/FileGenerator.cs +++ b/tools/Elastic.CommonSchema.Generator/FileGenerator.cs @@ -36,6 +36,7 @@ public static void Generate(CommonSchemaTypesProjection commonSchemaTypesProject { m => Generate(m, "Entities"), "Entities" }, { m => Generate(m, "Entities.ShouldSerialize"), "Generate ShouldSerialize special handling for Log and ECS" }, { m => Generate(m, "InlineObjects"), "Inline Objects" }, + { m => Generate(m, "AssignableInterfaces"), "Assignable Interfaces" }, { m => Generate(m, "IndexTemplates"), "Elasticsearch index templates" }, { m => Generate(m, "IndexComponents"), "Elasticsearch index components" }, }; diff --git a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs index b59ad8ef..8a0bdc8a 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs @@ -1,8 +1,11 @@ using System.Collections.Generic; using System.Collections.ObjectModel; using System.Linq; +using CsQuery.Engine.PseudoClassSelectors; using Elastic.CommonSchema.Generator.Schema; using Elastic.CommonSchema.Generator.Schema.DTO; +using Microsoft.CodeAnalysis; +using YamlDotNet.Core.Tokens; namespace Elastic.CommonSchema.Generator.Projection { @@ -25,6 +28,8 @@ public class CommonSchemaTypesProjection public ReadOnlyCollection Warnings { get; set; } public IReadOnlyCollection IndexTemplates { get; set; } public IReadOnlyCollection IndexComponents { get; set; } + + public List AssignableInterfaces { get; set; } // ReSharper restore PropertyCanBeMadeInitOnly.Global } @@ -97,12 +102,40 @@ public CommonSchemaTypesProjection CreateProjection() var nestedEntityTypes = CreateEntityTypes(); + var entities = EntityClasses.Values.Where(e => e.Name != "EcsDocument" && e.BaseFieldSet.FieldSet.Root != true).ToList(); + var assignables = entities + .Where(e => e.EntityReferences.Count > 0) + .SelectMany(e => e.EntityReferences.Select(r => (EntityClass: e, EntityPropertyReference: r)).ToList()) + .Select(r => + { + var prop = r.EntityPropertyReference; + var sharedKey = prop.Key.Split('.') switch + { + [.. { Length: > 1 } ] a => string.Join('.', a[1..]).PascalCase(), + _ => prop.Key.PascalCase() + }; + if (r.EntityPropertyReference.Value.Entity is SelfReferentialReusedEntityClass s) + sharedKey = s.Name; + return (Key: sharedKey, r.EntityClass, r.EntityPropertyReference); + }) + .GroupBy(e => e.Key) + .SelectMany(g => + g.Select(r => r.EntityPropertyReference.Value).DistinctBy(r=>r.ClrType) + .Select(r => new AssignableEntityInterface(g.Key, r, g.Select(r=>r.EntityClass).ToList())) + ) + //.DistinctBy(g=>g.Name) + .ToList(); + foreach (var entity in entities) + { + entity.AssignableInterfaces = assignables.Where(a => a.Entities.Contains(entity)).DistinctBy(a=>a.Name).ToList(); + } + Projection = new CommonSchemaTypesProjection { Version = Schema.Version, GitRef = Schema.GitRef, FieldSets = FieldSetsBaseClasses.Values.Where(e=>e.FieldSet.Root != true || e.FieldSet.Name == "base" ).ToList(), - EntityClasses = EntityClasses.Values.Where(e=>e.Name != "EcsDocument" && e.BaseFieldSet.FieldSet.Root != true).ToList(), + EntityClasses = entities, EntitiesWithPropertiesAtRoot = new Dictionary { { EntityClasses.Values.First(e=>e.Name == "Log"), new []{"level"}}, @@ -114,8 +147,9 @@ public CommonSchemaTypesProjection CreateProjection() Warnings = Warnings.AsReadOnly(), IndexTemplates = Schema.Templates.Select(kv=>new IndexTemplate(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), IndexComponents = Schema.Components.Select(kv=>new IndexComponent(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), - + AssignableInterfaces = assignables }; + return Projection; } @@ -177,7 +211,7 @@ private Dictionary CreateEntityTypes() var nestedPath = parentPaths.FirstOrDefault(p => nestedEntityClasses.ContainsKey(p)); var entityPath = parentPaths.FirstOrDefault(p => EntityClasses.ContainsKey(p)); var description = entity is SelfReferentialReusedEntityClass s ? s.ReuseDescription : entity.BaseFieldSet.FieldSet.Description; - var isArray = entity is SelfReferentialReusedEntityClass ss && ss.IsArray; + var isArray = entity is SelfReferentialReusedEntityClass { IsArray: true }; if (!string.IsNullOrEmpty(nestedPath)) { var nestedEntityClassRef = new EntityPropertyReference(nestedPath, fullName, entity, description, isArray); diff --git a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs index a9dffafe..a07ff08d 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs @@ -4,11 +4,9 @@ namespace Elastic.CommonSchema.Generator.Projection { - public class FieldSetBaseClass + public class FieldSetBaseClass(FieldSet fieldSet) { - public FieldSetBaseClass(FieldSet fieldSet) => FieldSet = fieldSet; - - public FieldSet FieldSet { get; } + public FieldSet FieldSet { get; } = fieldSet; public string Name => $"{FieldSet.Name.PascalCase()}FieldSet"; public Dictionary Properties { get; } = new(); @@ -23,16 +21,10 @@ public class FieldSetBaseClass Properties.Values.OfType(); } - public class InlineObject + public class InlineObject(string name, Field field) { - public string Name { get; } - public Field Field { get; } - - public InlineObject(string name, Field field) - { - Name = name.PascalCase(); - Field = field; - } + public string Name { get; } = name.PascalCase(); + public Field Field { get; } = field; public Dictionary Properties { get; } = new(); @@ -41,25 +33,17 @@ public InlineObject(string name, Field field) public IEnumerable ValueProperties => Properties.Values.OfType(); - public IEnumerable InlineObjectProperties => - Properties.Values.OfType(); - public IEnumerable EntityProperties => EntityReferences.Values; public bool IsDictionary => ValueProperties.Count() + EntityProperties.Count() == 0; } - public class SelfReferentialReusedEntityClass : EntityClass + public class SelfReferentialReusedEntityClass + (string name, FieldSetBaseClass baseFieldSet, string reuseDescription, bool isArray) + : EntityClass(name, baseFieldSet) { - public SelfReferentialReusedEntityClass(string name, FieldSetBaseClass baseFieldSet, string reuseDescription, bool isArray) - : base(name, baseFieldSet) - { - ReuseDescription = reuseDescription; - IsArray = isArray; - } - - public string ReuseDescription { get; } - public bool IsArray { get; } + public string ReuseDescription { get; } = reuseDescription; + public bool IsArray { get; } = isArray; } @@ -79,7 +63,32 @@ public EntityClass(string name, FieldSetBaseClass baseFieldSet) public Dictionary EntityReferences { get; } = new(); public IEnumerable EntityProperties => EntityReferences.Values; + //provided later + public List AssignableInterfaces { get; set; } = new(); + + public string AssignableInterfacesAsString + { + get + { + if (!AssignableInterfaces.Any()) return string.Empty; + return $", {string.Join(", ", AssignableInterfaces.Select(i => i.Name))}"; + } + } } + public class AssignableEntityInterface + { + public AssignableEntityInterface(string name, EntityPropertyReference property, List entities) + { + Name = $"I{name}"; + Property = property; + Entities = entities; + } + + public EntityPropertyReference Property { get; } + public List Entities { get; } + public string Name { get; } + } + } diff --git a/tools/Elastic.CommonSchema.Generator/Views/AssignableInterfaces.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/AssignableInterfaces.Generated.cshtml new file mode 100644 index 00000000..56c660f6 --- /dev/null +++ b/tools/Elastic.CommonSchema.Generator/Views/AssignableInterfaces.Generated.cshtml @@ -0,0 +1,41 @@ +@* ReSharper disable once RedundantUsingDirective *@ +@using System +@using System.Linq +@inherits Elastic.CommonSchema.Generator.Views.CodeTemplatePage +// Licensed to Elasticsearch B.V under one or more agreements. +// Elasticsearch B.V licenses this file to you under the Apache 2.0 License. +// See the LICENSE file in the project root for more information + +/* +IMPORTANT NOTE +============== +This file has been generated. +If you wish to submit a PR please modify the original csharp file and submit the PR with that change. Thanks! +*/ + +// ReSharper disable RedundantUsingDirective +using System; +using System.Collections.Generic; +using System.Threading; +using System.Threading.Tasks; +using System.Linq; +using System.Net; +using System.Runtime.Serialization; +using System.Text.Json.Serialization; + +#nullable enable +namespace Elastic.CommonSchema +{ +@foreach (var inlineObject in Model.AssignableInterfaces) +{ + var prop = inlineObject.Property; + var implementations = string.Join(", ", inlineObject.Entities.Select(e=>e.Name)); + + /// Interface for entities that can assign an @(inlineObject.Name): @(implementations) + public interface @inlineObject.Name { + ///@prop.JsonProperty + public @prop.ClrType? @prop.Name { get; set; } + } + +} +} diff --git a/tools/Elastic.CommonSchema.Generator/Views/Entities.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/Entities.Generated.cshtml index 05bccb7e..330e6894 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/Entities.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/Entities.Generated.cshtml @@ -29,7 +29,7 @@ namespace Elastic.CommonSchema { /// - public class @entity.Name : @entity.BaseFieldSet.Name { + public class @entity.Name : @entity.BaseFieldSet.Name @entity.AssignableInterfacesAsString { @foreach (var property in entity.EntityProperties) { @@ -48,7 +48,7 @@ namespace Elastic.CommonSchema { /// - public@(entity.Partial ? " partial" : "") class @entity.Name : @entity.BaseFieldSet.Name { + public@(entity.Partial ? " partial" : "") class @entity.Name : @entity.BaseFieldSet.Name @entity.AssignableInterfacesAsString { @foreach (var property in entity.EntityProperties) { From 3cf4e0819838d07fe7f8ae7c848a86bd6c031477 Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Tue, 24 Sep 2024 17:53:03 +0200 Subject: [PATCH 3/8] stage --- .../EcsDocument.Generated.cs | 2 +- .../LogTemplateProperties.Generated.cs | 8378 +++++++++++++---- .../PropDispatch.Generated.cs | 5018 +++++++++- .../Repro/GithubIssue402.cs | 4 +- .../Projection/PropertyReference.cs | 18 + .../Projection/TypeProjector.cs | 41 +- .../Projection/Types.cs | 42 +- .../Views/EcsDocument.Generated.cshtml | 2 +- .../LogTemplateProperties.Generated.cshtml | 4 +- .../Views/PropDispatch.Generated.cshtml | 25 +- 10 files changed, 11522 insertions(+), 2012 deletions(-) diff --git a/src/Elastic.CommonSchema/EcsDocument.Generated.cs b/src/Elastic.CommonSchema/EcsDocument.Generated.cs index 3b513e4c..378d0bd8 100644 --- a/src/Elastic.CommonSchema/EcsDocument.Generated.cs +++ b/src/Elastic.CommonSchema/EcsDocument.Generated.cs @@ -24,7 +24,7 @@ If you wish to submit a PR please modify the original csharp file and submit the namespace Elastic.CommonSchema { /// - public partial class EcsDocument : BaseFieldSet + public partial class EcsDocument : BaseFieldSet , IAs, ICodeSignature, IElf, IGeo, IGroup, IHash, IMacho, IOs, IPe, IRisk, IUser, IVlan, IX509 { /// diff --git a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs index d1fa93a0..17ed6bce 100644 --- a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs +++ b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs @@ -201,6 +201,212 @@ public static class LogTemplateProperties /// public static string ClientTopLevelDomain = nameof(ClientTopLevelDomain); /// + /// client.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 + /// + public static string ClientAsNumber = nameof(ClientAsNumber); + /// + /// client.as.organization.name + /// Organization name. + /// Google LLC + /// + public static string ClientAsOrganizationName = nameof(ClientAsOrganizationName); + /// + /// client.geo.city_name + /// City name. + /// Montreal + /// + public static string ClientGeoCityName = nameof(ClientGeoCityName); + /// + /// client.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string ClientGeoContinentCode = nameof(ClientGeoContinentCode); + /// + /// client.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string ClientGeoContinentName = nameof(ClientGeoContinentName); + /// + /// client.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string ClientGeoCountryIsoCode = nameof(ClientGeoCountryIsoCode); + /// + /// client.geo.country_name + /// Country name. + /// Canada + /// + public static string ClientGeoCountryName = nameof(ClientGeoCountryName); + /// + /// client.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string ClientGeoName = nameof(ClientGeoName); + /// + /// client.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string ClientGeoPostalCode = nameof(ClientGeoPostalCode); + /// + /// client.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string ClientGeoRegionIsoCode = nameof(ClientGeoRegionIsoCode); + /// + /// client.geo.region_name + /// Region name. + /// Quebec + /// + public static string ClientGeoRegionName = nameof(ClientGeoRegionName); + /// + /// client.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string ClientGeoTimezone = nameof(ClientGeoTimezone); + /// + /// client.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ClientUserDomain = nameof(ClientUserDomain); + /// + /// client.user.email + /// User email address. + /// + /// + public static string ClientUserEmail = nameof(ClientUserEmail); + /// + /// client.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ClientUserFullName = nameof(ClientUserFullName); + /// + /// client.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ClientUserHash = nameof(ClientUserHash); + /// + /// client.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ClientUserId = nameof(ClientUserId); + /// + /// client.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ClientUserName = nameof(ClientUserName); + /// + /// client.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ClientUserGroupDomain = nameof(ClientUserGroupDomain); + /// + /// client.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ClientUserGroupId = nameof(ClientUserGroupId); + /// + /// client.user.group.name + /// Name of the group. + /// + /// + public static string ClientUserGroupName = nameof(ClientUserGroupName); + /// + /// client.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ClientUserRiskCalculatedLevel = nameof(ClientUserRiskCalculatedLevel); + /// + /// client.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ClientUserRiskCalculatedScore = nameof(ClientUserRiskCalculatedScore); + /// + /// client.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ClientUserRiskCalculatedScoreNorm = nameof(ClientUserRiskCalculatedScoreNorm); + /// + /// client.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ClientUserRiskStaticLevel = nameof(ClientUserRiskStaticLevel); + /// + /// client.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ClientUserRiskStaticScore = nameof(ClientUserRiskStaticScore); + /// + /// client.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ClientUserRiskStaticScoreNorm = nameof(ClientUserRiskStaticScoreNorm); + /// + /// client.user.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ClientUserUserDomain = nameof(ClientUserUserDomain); + /// + /// client.user.user.email + /// User email address. + /// + /// + public static string ClientUserUserEmail = nameof(ClientUserUserEmail); + /// + /// client.user.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ClientUserUserFullName = nameof(ClientUserUserFullName); + /// + /// client.user.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ClientUserUserHash = nameof(ClientUserUserHash); + /// + /// client.user.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ClientUserUserId = nameof(ClientUserUserId); + /// + /// client.user.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ClientUserUserName = nameof(ClientUserUserName); + /// /// cloud.account.id /// The cloud account or organization id used to identify different entities in a multi-tenant environment. /// Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. @@ -272,6 +478,77 @@ public static class LogTemplateProperties /// public static string CloudServiceName = nameof(CloudServiceName); /// + /// cloud.cloud.account.id + /// The cloud account or organization id used to identify different entities in a multi-tenant environment. + /// Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + /// 666777888999 + /// + public static string CloudCloudAccountId = nameof(CloudCloudAccountId); + /// + /// cloud.cloud.account.name + /// The cloud account name or alias used to identify different entities in a multi-tenant environment. + /// Examples: AWS account name, Google Cloud ORG display name. + /// elastic-dev + /// + public static string CloudCloudAccountName = nameof(CloudCloudAccountName); + /// + /// cloud.cloud.availability_zone + /// Availability zone in which this host, resource, or service is located. + /// us-east-1c + /// + public static string CloudCloudAvailabilityZone = nameof(CloudCloudAvailabilityZone); + /// + /// cloud.cloud.instance.id + /// Instance ID of the host machine. + /// i-1234567890abcdef0 + /// + public static string CloudCloudInstanceId = nameof(CloudCloudInstanceId); + /// + /// cloud.cloud.instance.name + /// Instance name of the host machine. + /// + /// + public static string CloudCloudInstanceName = nameof(CloudCloudInstanceName); + /// + /// cloud.cloud.machine.type + /// Machine type of the host machine. + /// t2.medium + /// + public static string CloudCloudMachineType = nameof(CloudCloudMachineType); + /// + /// cloud.cloud.project.id + /// The cloud project identifier. + /// Examples: Google Cloud Project id, Azure Project id. + /// my-project + /// + public static string CloudCloudProjectId = nameof(CloudCloudProjectId); + /// + /// cloud.cloud.project.name + /// The cloud project name. + /// Examples: Google Cloud Project name, Azure Project name. + /// my project + /// + public static string CloudCloudProjectName = nameof(CloudCloudProjectName); + /// + /// cloud.cloud.provider + /// Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + /// aws + /// + public static string CloudCloudProvider = nameof(CloudCloudProvider); + /// + /// cloud.cloud.region + /// Region in which this host, resource, or service is located. + /// us-east-1 + /// + public static string CloudCloudRegion = nameof(CloudCloudRegion); + /// + /// cloud.cloud.service.name + /// The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. + /// Examples: app engine, app service, cloud run, fargate, lambda. + /// lambda + /// + public static string CloudCloudServiceName = nameof(CloudCloudServiceName); + /// /// code_signature.digest_algorithm /// The hashing algorithm used to sign the process. /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. @@ -507,2304 +784,6302 @@ public static class LogTemplateProperties /// public static string DestinationTopLevelDomain = nameof(DestinationTopLevelDomain); /// - /// device.id - /// The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. - /// On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. - /// For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. - /// 00000000-54b3-e7c7-0000-000046bffd97 + /// destination.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 /// - public static string DeviceId = nameof(DeviceId); + public static string DestinationAsNumber = nameof(DestinationAsNumber); /// - /// device.manufacturer - /// The vendor name of the device manufacturer. - /// Samsung + /// destination.as.organization.name + /// Organization name. + /// Google LLC /// - public static string DeviceManufacturer = nameof(DeviceManufacturer); + public static string DestinationAsOrganizationName = nameof(DestinationAsOrganizationName); /// - /// device.model.identifier - /// The machine readable identifier of the device model. - /// SM-G920F + /// destination.geo.city_name + /// City name. + /// Montreal /// - public static string DeviceModelIdentifier = nameof(DeviceModelIdentifier); + public static string DestinationGeoCityName = nameof(DestinationGeoCityName); /// - /// device.model.name - /// The human readable marketing name of the device model. - /// Samsung Galaxy S6 + /// destination.geo.continent_code + /// Two-letter code representing continent's name. + /// NA /// - public static string DeviceModelName = nameof(DeviceModelName); + public static string DestinationGeoContinentCode = nameof(DestinationGeoContinentCode); /// - /// dll.name - /// Name of the library. - /// This generally maps to the name of the file on disk. - /// kernel32.dll + /// destination.geo.continent_name + /// Name of the continent. + /// North America /// - public static string DllName = nameof(DllName); + public static string DestinationGeoContinentName = nameof(DestinationGeoContinentName); /// - /// dll.path - /// Full file path of the library. - /// C:\Windows\System32\kernel32.dll + /// destination.geo.country_iso_code + /// Country ISO code. + /// CA /// - public static string DllPath = nameof(DllPath); + public static string DestinationGeoCountryIsoCode = nameof(DestinationGeoCountryIsoCode); /// - /// dns.id - /// The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - /// 62111 + /// destination.geo.country_name + /// Country name. + /// Canada /// - public static string DnsId = nameof(DnsId); + public static string DestinationGeoCountryName = nameof(DestinationGeoCountryName); /// - /// dns.op_code - /// The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - /// QUERY + /// destination.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc /// - public static string DnsOpCode = nameof(DnsOpCode); + public static string DestinationGeoName = nameof(DestinationGeoName); /// - /// dns.question.class - /// The class of records being queried. - /// IN + /// destination.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 /// - public static string DnsQuestionClass = nameof(DnsQuestionClass); + public static string DestinationGeoPostalCode = nameof(DestinationGeoPostalCode); /// - /// dns.question.name - /// The name being queried. - /// If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - /// www.example.com + /// destination.geo.region_iso_code + /// Region ISO code. + /// CA-QC /// - public static string DnsQuestionName = nameof(DnsQuestionName); + public static string DestinationGeoRegionIsoCode = nameof(DestinationGeoRegionIsoCode); /// - /// dns.question.registered_domain - /// The highest registered domain, stripped of the subdomain. - /// For example, the registered domain for "foo.example.com" is "example.com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - /// example.com - /// - public static string DnsQuestionRegisteredDomain = nameof(DnsQuestionRegisteredDomain); - /// - /// dns.question.subdomain - /// The subdomain is all of the labels under the registered_domain. - /// If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - /// www - /// - public static string DnsQuestionSubdomain = nameof(DnsQuestionSubdomain); - /// - /// dns.question.top_level_domain - /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - /// co.uk - /// - public static string DnsQuestionTopLevelDomain = nameof(DnsQuestionTopLevelDomain); - /// - /// dns.question.type - /// The type of record being queried. - /// AAAA - /// - public static string DnsQuestionType = nameof(DnsQuestionType); - /// - /// dns.response_code - /// The DNS response code. - /// NOERROR - /// - public static string DnsResponseCode = nameof(DnsResponseCode); - /// - /// dns.type - /// The type of DNS event captured, query or answer. - /// If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - /// If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - /// answer + /// destination.geo.region_name + /// Region name. + /// Quebec /// - public static string DnsType = nameof(DnsType); + public static string DestinationGeoRegionName = nameof(DestinationGeoRegionName); /// - /// ecs.version - /// ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - /// When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - ///
This is a required field - /// 1.0.0 + /// destination.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires /// - public static string EcsVersion = nameof(EcsVersion); + public static string DestinationGeoTimezone = nameof(DestinationGeoTimezone); /// - /// elf.architecture - /// Machine architecture of the ELF file. - /// x86-64 + /// destination.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// /// - public static string ElfArchitecture = nameof(ElfArchitecture); + public static string DestinationUserDomain = nameof(DestinationUserDomain); /// - /// elf.byte_order - /// Byte sequence of ELF file. - /// Little Endian + /// destination.user.email + /// User email address. + /// /// - public static string ElfByteOrder = nameof(ElfByteOrder); + public static string DestinationUserEmail = nameof(DestinationUserEmail); /// - /// elf.cpu_type - /// CPU type of the ELF file. - /// Intel + /// destination.user.full_name + /// User's full name, if available. + /// Albert Einstein /// - public static string ElfCpuType = nameof(ElfCpuType); + public static string DestinationUserFullName = nameof(DestinationUserFullName); /// - /// elf.creation_date - /// Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + /// destination.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string ElfCreationDate = nameof(ElfCreationDate); + public static string DestinationUserHash = nameof(DestinationUserHash); /// - /// elf.go_import_hash - /// A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). - /// 10bddcb4cee42080f76c88d9ff964491 + /// destination.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string ElfGoImportHash = nameof(ElfGoImportHash); + public static string DestinationUserId = nameof(DestinationUserId); /// - /// elf.go_imports - /// List of imported Go language element names and types. - /// + /// destination.user.name + /// Short name or login of the user. + /// a.einstein /// - public static string ElfGoImports = nameof(ElfGoImports); + public static string DestinationUserName = nameof(DestinationUserName); /// - /// elf.go_imports_names_entropy - /// Shannon entropy calculation from the list of Go imports. + /// destination.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. /// /// - public static string ElfGoImportsNamesEntropy = nameof(ElfGoImportsNamesEntropy); + public static string DestinationUserGroupDomain = nameof(DestinationUserGroupDomain); /// - /// elf.go_imports_names_var_entropy - /// Variance for Shannon entropy calculation from the list of Go imports. + /// destination.user.group.id + /// Unique identifier for the group on the system/platform. /// /// - public static string ElfGoImportsNamesVarEntropy = nameof(ElfGoImportsNamesVarEntropy); + public static string DestinationUserGroupId = nameof(DestinationUserGroupId); /// - /// elf.go_stripped - /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// destination.user.group.name + /// Name of the group. /// /// - public static string ElfGoStripped = nameof(ElfGoStripped); + public static string DestinationUserGroupName = nameof(DestinationUserGroupName); /// - /// elf.header.abi_version - /// Version of the ELF Application Binary Interface (ABI). - /// + /// destination.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High /// - public static string ElfHeaderAbiVersion = nameof(ElfHeaderAbiVersion); + public static string DestinationUserRiskCalculatedLevel = nameof(DestinationUserRiskCalculatedLevel); /// - /// elf.header.class - /// Header class of the ELF file. - /// + /// destination.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 /// - public static string ElfHeaderClass = nameof(ElfHeaderClass); + public static string DestinationUserRiskCalculatedScore = nameof(DestinationUserRiskCalculatedScore); /// - /// elf.header.data - /// Data table of the ELF header. - /// + /// destination.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 /// - public static string ElfHeaderData = nameof(ElfHeaderData); + public static string DestinationUserRiskCalculatedScoreNorm = nameof(DestinationUserRiskCalculatedScoreNorm); /// - /// elf.header.entrypoint - /// Header entrypoint of the ELF file. - /// + /// destination.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High /// - public static string ElfHeaderEntrypoint = nameof(ElfHeaderEntrypoint); + public static string DestinationUserRiskStaticLevel = nameof(DestinationUserRiskStaticLevel); /// - /// elf.header.object_version - /// "0x1" for original ELF files. - /// + /// destination.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 /// - public static string ElfHeaderObjectVersion = nameof(ElfHeaderObjectVersion); + public static string DestinationUserRiskStaticScore = nameof(DestinationUserRiskStaticScore); /// - /// elf.header.os_abi - /// Application Binary Interface (ABI) of the Linux OS. - /// + /// destination.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 /// - public static string ElfHeaderOsAbi = nameof(ElfHeaderOsAbi); + public static string DestinationUserRiskStaticScoreNorm = nameof(DestinationUserRiskStaticScoreNorm); /// - /// elf.header.type - /// Header type of the ELF file. + /// destination.user.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. /// /// - public static string ElfHeaderType = nameof(ElfHeaderType); + public static string DestinationUserUserDomain = nameof(DestinationUserUserDomain); /// - /// elf.header.version - /// Version of the ELF header. + /// destination.user.user.email + /// User email address. /// /// - public static string ElfHeaderVersion = nameof(ElfHeaderVersion); + public static string DestinationUserUserEmail = nameof(DestinationUserUserEmail); /// - /// elf.import_hash - /// A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// This is an ELF implementation of the Windows PE imphash. - /// d41d8cd98f00b204e9800998ecf8427e + /// destination.user.user.full_name + /// User's full name, if available. + /// Albert Einstein /// - public static string ElfImportHash = nameof(ElfImportHash); + public static string DestinationUserUserFullName = nameof(DestinationUserUserFullName); /// - /// elf.imports_names_entropy - /// Shannon entropy calculation from the list of imported element names and types. + /// destination.user.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string ElfImportsNamesEntropy = nameof(ElfImportsNamesEntropy); + public static string DestinationUserUserHash = nameof(DestinationUserUserHash); /// - /// elf.imports_names_var_entropy - /// Variance for Shannon entropy calculation from the list of imported element names and types. - /// + /// destination.user.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string ElfImportsNamesVarEntropy = nameof(ElfImportsNamesVarEntropy); + public static string DestinationUserUserId = nameof(DestinationUserUserId); /// - /// elf.telfhash - /// telfhash symbol hash for ELF file. - /// + /// destination.user.user.name + /// Short name or login of the user. + /// a.einstein /// - public static string ElfTelfhash = nameof(ElfTelfhash); + public static string DestinationUserUserName = nameof(DestinationUserUserName); /// - /// email.content_type - /// Information about how the message is to be displayed. - /// Typically a MIME type. - /// text/plain + /// device.id + /// The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. + /// On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. + /// For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. + /// 00000000-54b3-e7c7-0000-000046bffd97 /// - public static string EmailContentType = nameof(EmailContentType); + public static string DeviceId = nameof(DeviceId); /// - /// email.delivery_timestamp - /// The date and time when the email message was received by the service or client. - /// 11/10/2020 10:12:34 PM + /// device.manufacturer + /// The vendor name of the device manufacturer. + /// Samsung /// - public static string EmailDeliveryTimestamp = nameof(EmailDeliveryTimestamp); + public static string DeviceManufacturer = nameof(DeviceManufacturer); /// - /// email.direction - /// The direction of the message based on the sending and receiving domains. - /// inbound + /// device.model.identifier + /// The machine readable identifier of the device model. + /// SM-G920F /// - public static string EmailDirection = nameof(EmailDirection); + public static string DeviceModelIdentifier = nameof(DeviceModelIdentifier); /// - /// email.local_id - /// Unique identifier given to the email by the source that created the event. - /// Identifier is not persistent across hops. - /// c26dbea0-80d5-463b-b93c-4e8b708219ce + /// device.model.name + /// The human readable marketing name of the device model. + /// Samsung Galaxy S6 /// - public static string EmailLocalId = nameof(EmailLocalId); + public static string DeviceModelName = nameof(DeviceModelName); /// - /// email.message_id - /// Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. - /// 81ce15$8r2j59@mail01.example.com + /// dll.name + /// Name of the library. + /// This generally maps to the name of the file on disk. + /// kernel32.dll /// - public static string EmailMessageId = nameof(EmailMessageId); + public static string DllName = nameof(DllName); /// - /// email.origination_timestamp - /// The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. - /// 11/10/2020 10:12:34 PM + /// dll.path + /// Full file path of the library. + /// C:\Windows\System32\kernel32.dll /// - public static string EmailOriginationTimestamp = nameof(EmailOriginationTimestamp); + public static string DllPath = nameof(DllPath); /// - /// email.sender.address - /// Per RFC 5322, specifies the address responsible for the actual transmission of the message. + /// dll.hash.md5 + /// MD5 hash. /// /// - public static string EmailSenderAddress = nameof(EmailSenderAddress); + public static string DllHashMd5 = nameof(DllHashMd5); /// - /// email.subject - /// A brief summary of the topic of the message. - /// Please see this important message. + /// dll.hash.sha1 + /// SHA1 hash. + /// /// - public static string EmailSubject = nameof(EmailSubject); + public static string DllHashSha1 = nameof(DllHashSha1); /// - /// email.x_mailer - /// The name of the application that was used to draft and send the original email message. - /// Spambot v2.5 + /// dll.hash.sha256 + /// SHA256 hash. + /// /// - public static string EmailXMailer = nameof(EmailXMailer); + public static string DllHashSha256 = nameof(DllHashSha256); /// - /// error.code - /// Error code describing the error. + /// dll.hash.sha384 + /// SHA384 hash. /// /// - public static string ErrorCode = nameof(ErrorCode); + public static string DllHashSha384 = nameof(DllHashSha384); /// - /// error.id - /// Unique identifier for the error. + /// dll.hash.sha512 + /// SHA512 hash. /// /// - public static string ErrorId = nameof(ErrorId); + public static string DllHashSha512 = nameof(DllHashSha512); /// - /// error.message - /// Error message. + /// dll.hash.ssdeep + /// SSDEEP hash. /// /// - public static string ErrorMessage = nameof(ErrorMessage); + public static string DllHashSsdeep = nameof(DllHashSsdeep); /// - /// error.stack_trace - /// The stack trace of this error in plain text. + /// dll.hash.tlsh + /// TLSH hash. /// /// - public static string ErrorStackTrace = nameof(ErrorStackTrace); + public static string DllHashTlsh = nameof(DllHashTlsh); /// - /// error.type - /// The type of the error, for example the class name of the exception. - /// java.lang.NullPointerException + /// dll.pe.architecture + /// CPU architecture target for the file. + /// x64 /// - public static string ErrorType = nameof(ErrorType); + public static string DllPeArchitecture = nameof(DllPeArchitecture); /// - /// event.action - /// The action captured by the event. - /// This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - /// user-password-change + /// dll.pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation /// - public static string EventAction = nameof(EventAction); + public static string DllPeCompany = nameof(DllPeCompany); /// - /// event.agent_id_status - /// Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. - /// For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. - /// If no validation is performed then the field should be omitted. - /// The allowed values are: - /// `verified` - The `agent.id` field value matches expected value obtained from auth metadata. - /// `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. - /// `missing` - There was no `agent.id` field in the event to validate. - /// `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. - /// verified + /// dll.pe.description + /// Internal description of the file, provided at compile-time. + /// Paint /// - public static string EventAgentIdStatus = nameof(EventAgentIdStatus); + public static string DllPeDescription = nameof(DllPeDescription); /// - /// event.code - /// Identification code for this event, if one exists. - /// Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - /// 4648 + /// dll.pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 /// - public static string EventCode = nameof(EventCode); + public static string DllPeFileVersion = nameof(DllPeFileVersion); /// - /// event.created - /// `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. - /// This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. - /// In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - /// In case the two timestamps are identical, `@timestamp` should be used. - /// 5/23/2016 8:05:34 AM + /// dll.pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string EventCreated = nameof(EventCreated); + public static string DllPeGoImportHash = nameof(DllPeGoImportHash); /// - /// event.dataset - /// Name of the dataset. - /// If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - /// It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - /// apache.access + /// dll.pe.go_imports + /// List of imported Go language element names and types. + /// /// - public static string EventDataset = nameof(EventDataset); + public static string DllPeGoImports = nameof(DllPeGoImports); /// - /// event.duration - /// Duration of the event in nanoseconds. - /// If `event.start` and `event.end` are known this value should be the difference between the end and start time. + /// dll.pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. /// /// - public static string EventDuration = nameof(EventDuration); + public static string DllPeGoImportsNamesEntropy = nameof(DllPeGoImportsNamesEntropy); /// - /// event.end - /// `event.end` contains the date when the event ended or when the activity was last observed. + /// dll.pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string EventEnd = nameof(EventEnd); + public static string DllPeGoImportsNamesVarEntropy = nameof(DllPeGoImportsNamesVarEntropy); /// - /// event.hash - /// Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - /// 123456789012345678901234567890ABCD + /// dll.pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// /// - public static string EventHash = nameof(EventHash); + public static string DllPeGoStripped = nameof(DllPeGoStripped); /// - /// event.id - /// Unique ID to describe the event. - /// 8a4f500d + /// dll.pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf /// - public static string EventId = nameof(EventId); + public static string DllPeImphash = nameof(DllPeImphash); /// - /// event.ingested - /// Timestamp when an event arrived in the central data store. - /// This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - /// In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - /// 5/23/2016 8:05:35 AM + /// dll.pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e /// - public static string EventIngested = nameof(EventIngested); + public static string DllPeImportHash = nameof(DllPeImportHash); /// - /// event.kind - /// This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - /// `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - /// The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. - ///
Allowed Values: - /// - /// ValueDescription - /// alertThis value indicates an event such as an alert or notable event, triggered by a detection rule executing externally to the Elastic Stack. - /// `event.kind:alert` is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and so on. - /// This value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework. - /// assetThis value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system. - /// Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider APIs. - /// This value is used by Elastic Security for asset management solutions. `event.kind: asset` is not used for normal system events or logs that are coming from an asset/entity, nor is it used for system events or logs coming from a directory or CMDB system. - /// enrichmentThe `enrichment` value indicates an event collected to provide additional context, often to other events. - /// An example is collecting indicators of compromise (IOCs) from a threat intelligence provider with the intent to use those values to enrich other events. The IOC events from the intelligence provider should be categorized as `event.kind:enrichment`. - /// eventThis value is the most general and most common value for this field. It is used to represent events that indicate that something happened. - /// metricThis value is used to indicate that this event describes a numeric measurement taken at given point in time. - /// Examples include CPU utilization, memory usage, or device temperature. - /// Metric events are often collected on a predictable frequency, such as once every few seconds, or once a minute, but can also be used to describe ad-hoc numeric metric queries. - /// stateThe state value is similar to metric, indicating that this event describes a measurement taken at given point in time, except that the measurement does not result in a numeric value, but rather one of a fixed set of categorical values that represent conditions or states. - /// Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), the state of a TCP connection (open, closed, fin_wait, etc.), the state of a host with respect to a software vulnerability (vulnerable, not vulnerable), and the state of a system regarding compliance with a regulatory standard (compliant, not compliant). - /// Note that an event that describes a change of state would not use `event.kind:state`, but instead would use 'event.kind:event' since a state change fits the more general event definition of something that happened. - /// State events are often collected on a predictable frequency, such as once every few seconds, once a minute, once an hour, or once a day, but can also be used to describe ad-hoc state queries. - /// pipeline_errorThis value indicates that an error occurred during the ingestion of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors. - /// signalThis value is used by Elastic solutions (e.g., Security, Observability) for alert documents that are created by rules executing within the Kibana alerting framework. - /// Usage of this value is reserved, and data ingestion pipelines must not populate `event.kind` with the value "signal". - /// - /// alert + /// dll.pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string EventKind = nameof(EventKind); + public static string DllPeImportsNamesEntropy = nameof(DllPeImportsNamesEntropy); /// - /// event.module - /// Name of the module this data is coming from. - /// If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - /// apache + /// dll.pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string EventModule = nameof(EventModule); + public static string DllPeImportsNamesVarEntropy = nameof(DllPeImportsNamesVarEntropy); /// - /// event.original - /// Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - /// This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - ///
Stored but not available for search in Elasticsearch by default - /// Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + /// dll.pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE /// - public static string EventOriginal = nameof(EventOriginal); + public static string DllPeOriginalFileName = nameof(DllPeOriginalFileName); /// - /// event.outcome - /// This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - /// `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - /// Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - /// Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - /// Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - ///
Allowed Values: - /// - /// ValueDescription - /// failureIndicates that this event describes a failed result. A common example is `event.category:file AND event.type:access AND event.outcome:failure` to indicate that a file access was attempted, but was not successful. - /// successIndicates that this event describes a successful result. A common example is `event.category:file AND event.type:create AND event.outcome:success` to indicate that a file was successfully created. - /// unknownIndicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated. - /// - /// success + /// dll.pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 /// - public static string EventOutcome = nameof(EventOutcome); + public static string DllPePehash = nameof(DllPePehash); /// - /// event.provider - /// Source of the event. - /// Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - /// kernel + /// dll.pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System /// - public static string EventProvider = nameof(EventProvider); + public static string DllPeProduct = nameof(DllPeProduct); /// - /// event.reason - /// Reason why this event happened, according to the source. - /// This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - /// Terminated an unexpected process + /// dll.code_signature.digest_algorithm + /// The hashing algorithm used to sign the process. + /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + /// sha256 /// - public static string EventReason = nameof(EventReason); + public static string DllCodeSignatureDigestAlgorithm = nameof(DllCodeSignatureDigestAlgorithm); /// - /// event.reference - /// Reference URL linking to additional information about this event. - /// This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - /// https://system.example.com/event/#0001234 + /// dll.code_signature.exists + /// Boolean to capture if a signature is present. + /// true /// - public static string EventReference = nameof(EventReference); + public static string DllCodeSignatureExists = nameof(DllCodeSignatureExists); /// - /// event.risk_score - /// Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - /// + /// dll.code_signature.signing_id + /// The identifier used to sign the process. + /// This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + /// com.apple.xpc.proxy /// - public static string EventRiskScore = nameof(EventRiskScore); + public static string DllCodeSignatureSigningId = nameof(DllCodeSignatureSigningId); /// - /// event.risk_score_norm - /// Normalized risk score or priority of the event, on a scale of 0 to 100. - /// This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - /// + /// dll.code_signature.status + /// Additional information about the certificate status. + /// This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + /// ERROR_UNTRUSTED_ROOT /// - public static string EventRiskScoreNorm = nameof(EventRiskScoreNorm); + public static string DllCodeSignatureStatus = nameof(DllCodeSignatureStatus); /// - /// event.sequence - /// Sequence number of the event. - /// The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - /// + /// dll.code_signature.subject_name + /// Subject name of the code signer + /// Microsoft Corporation /// - public static string EventSequence = nameof(EventSequence); + public static string DllCodeSignatureSubjectName = nameof(DllCodeSignatureSubjectName); /// - /// event.severity - /// The numeric severity of the event according to your event source. - /// What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - /// The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - /// 7 + /// dll.code_signature.team_id + /// The team identifier used to sign the process. + /// This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + /// EQHXZ8M8AV /// - public static string EventSeverity = nameof(EventSeverity); + public static string DllCodeSignatureTeamId = nameof(DllCodeSignatureTeamId); /// - /// event.start - /// `event.start` contains the date when the event started or when the activity was first observed. - /// + /// dll.code_signature.timestamp + /// Date and time when the code signature was generated and signed. + /// 1/1/2021 12:10:30 PM /// - public static string EventStart = nameof(EventStart); + public static string DllCodeSignatureTimestamp = nameof(DllCodeSignatureTimestamp); /// - /// event.timezone - /// This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - /// Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - /// + /// dll.code_signature.trusted + /// Stores the trust status of the certificate chain. + /// Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + /// true /// - public static string EventTimezone = nameof(EventTimezone); + public static string DllCodeSignatureTrusted = nameof(DllCodeSignatureTrusted); /// - /// event.url - /// URL linking to an external system to continue investigation of this event. - /// This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - /// https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + /// dll.code_signature.valid + /// Boolean to capture if the digital signature is verified against the binary content. + /// Leave unpopulated if a certificate was unchecked. + /// true /// - public static string EventUrl = nameof(EventUrl); + public static string DllCodeSignatureValid = nameof(DllCodeSignatureValid); /// - /// faas.coldstart - /// Boolean value indicating a cold start of a function. - /// + /// dns.id + /// The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + /// 62111 /// - public static string FaasColdstart = nameof(FaasColdstart); + public static string DnsId = nameof(DnsId); /// - /// faas.execution - /// The execution ID of the current function execution. - /// af9d5aa4-a685-4c5f-a22b-444f80b3cc28 + /// dns.op_code + /// The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + /// QUERY /// - public static string FaasExecution = nameof(FaasExecution); + public static string DnsOpCode = nameof(DnsOpCode); /// - /// faas.id - /// The unique identifier of a serverless function. - /// For AWS Lambda it's the function ARN (Amazon Resource Name) without a version or alias suffix. - /// arn:aws:lambda:us-west-2:123456789012:function:my-function + /// dns.question.class + /// The class of records being queried. + /// IN /// - public static string FaasId = nameof(FaasId); + public static string DnsQuestionClass = nameof(DnsQuestionClass); /// - /// faas.name - /// The name of a serverless function. - /// my-function + /// dns.question.name + /// The name being queried. + /// If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + /// www.example.com /// - public static string FaasName = nameof(FaasName); + public static string DnsQuestionName = nameof(DnsQuestionName); /// - /// faas.trigger.request_id - /// The ID of the trigger request , message, event, etc. - /// 123456789 + /// dns.question.registered_domain + /// The highest registered domain, stripped of the subdomain. + /// For example, the registered domain for "foo.example.com" is "example.com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + /// example.com /// - public static string FaasTriggerRequestId = nameof(FaasTriggerRequestId); + public static string DnsQuestionRegisteredDomain = nameof(DnsQuestionRegisteredDomain); /// - /// faas.trigger.type - /// The trigger for the function execution. - ///
Expected Values: - /// - /// http - /// pubsub - /// datasource - /// timer - /// other - /// - /// http + /// dns.question.subdomain + /// The subdomain is all of the labels under the registered_domain. + /// If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + /// www /// - public static string FaasTriggerType = nameof(FaasTriggerType); + public static string DnsQuestionSubdomain = nameof(DnsQuestionSubdomain); /// - /// faas.version - /// The version of a serverless function. - /// 123 + /// dns.question.top_level_domain + /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + /// co.uk /// - public static string FaasVersion = nameof(FaasVersion); + public static string DnsQuestionTopLevelDomain = nameof(DnsQuestionTopLevelDomain); /// - /// file.accessed - /// Last time the file was accessed. - /// Note that not all filesystems keep track of access time. - /// + /// dns.question.type + /// The type of record being queried. + /// AAAA /// - public static string FileAccessed = nameof(FileAccessed); + public static string DnsQuestionType = nameof(DnsQuestionType); /// - /// file.created - /// File creation time. - /// Note that not all filesystems store the creation time. - /// + /// dns.response_code + /// The DNS response code. + /// NOERROR /// - public static string FileCreated = nameof(FileCreated); + public static string DnsResponseCode = nameof(DnsResponseCode); /// - /// file.ctime - /// Last time the file attributes or metadata changed. - /// Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - /// + /// dns.type + /// The type of DNS event captured, query or answer. + /// If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + /// If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + /// answer /// - public static string FileCtime = nameof(FileCtime); + public static string DnsType = nameof(DnsType); /// - /// file.device - /// Device that is the source of the file. - /// sda + /// ecs.version + /// ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + /// When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + ///
This is a required field + /// 1.0.0 /// - public static string FileDevice = nameof(FileDevice); + public static string EcsVersion = nameof(EcsVersion); /// - /// file.directory - /// Directory where the file is located. It should include the drive letter, when appropriate. - /// /home/alice + /// elf.architecture + /// Machine architecture of the ELF file. + /// x86-64 /// - public static string FileDirectory = nameof(FileDirectory); + public static string ElfArchitecture = nameof(ElfArchitecture); /// - /// file.drive_letter - /// Drive letter where the file is located. This field is only relevant on Windows. - /// The value should be uppercase, and not include the colon. - /// C + /// elf.byte_order + /// Byte sequence of ELF file. + /// Little Endian /// - public static string FileDriveLetter = nameof(FileDriveLetter); + public static string ElfByteOrder = nameof(ElfByteOrder); /// - /// file.extension - /// File extension, excluding the leading dot. - /// Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - /// png + /// elf.cpu_type + /// CPU type of the ELF file. + /// Intel /// - public static string FileExtension = nameof(FileExtension); + public static string ElfCpuType = nameof(ElfCpuType); /// - /// file.fork_name - /// A fork is additional data associated with a filesystem object. - /// On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. - /// On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. - /// Zone.Identifer + /// elf.creation_date + /// Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + /// /// - public static string FileForkName = nameof(FileForkName); + public static string ElfCreationDate = nameof(ElfCreationDate); /// - /// file.gid - /// Primary group ID (GID) of the file. - /// 1001 + /// elf.go_import_hash + /// A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string FileGid = nameof(FileGid); + public static string ElfGoImportHash = nameof(ElfGoImportHash); /// - /// file.group - /// Primary group name of the file. - /// alice + /// elf.go_imports + /// List of imported Go language element names and types. + /// /// - public static string FileGroup = nameof(FileGroup); + public static string ElfGoImports = nameof(ElfGoImports); /// - /// file.inode - /// Inode representing the file in the filesystem. - /// 256383 + /// elf.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// /// - public static string FileInode = nameof(FileInode); + public static string ElfGoImportsNamesEntropy = nameof(ElfGoImportsNamesEntropy); /// - /// file.mime_type - /// MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + /// elf.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string FileMimeType = nameof(FileMimeType); + public static string ElfGoImportsNamesVarEntropy = nameof(ElfGoImportsNamesVarEntropy); /// - /// file.mode - /// Mode of the file in octal representation. - /// 0640 + /// elf.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// /// - public static string FileMode = nameof(FileMode); + public static string ElfGoStripped = nameof(ElfGoStripped); /// - /// file.mtime - /// Last time the file content was modified. + /// elf.header.abi_version + /// Version of the ELF Application Binary Interface (ABI). /// /// - public static string FileMtime = nameof(FileMtime); + public static string ElfHeaderAbiVersion = nameof(ElfHeaderAbiVersion); /// - /// file.name - /// Name of the file including the extension, without the directory. - /// example.png + /// elf.header.class + /// Header class of the ELF file. + /// /// - public static string FileName = nameof(FileName); + public static string ElfHeaderClass = nameof(ElfHeaderClass); /// - /// file.owner - /// File owner's username. - /// alice + /// elf.header.data + /// Data table of the ELF header. + /// /// - public static string FileOwner = nameof(FileOwner); + public static string ElfHeaderData = nameof(ElfHeaderData); /// - /// file.path - /// Full path to the file, including the file name. It should include the drive letter, when appropriate. - /// /home/alice/example.png + /// elf.header.entrypoint + /// Header entrypoint of the ELF file. + /// /// - public static string FilePath = nameof(FilePath); + public static string ElfHeaderEntrypoint = nameof(ElfHeaderEntrypoint); /// - /// file.size - /// File size in bytes. - /// Only relevant when `file.type` is "file". - /// 16384 + /// elf.header.object_version + /// "0x1" for original ELF files. + /// /// - public static string FileSize = nameof(FileSize); + public static string ElfHeaderObjectVersion = nameof(ElfHeaderObjectVersion); /// - /// file.target_path - /// Target path for symlinks. + /// elf.header.os_abi + /// Application Binary Interface (ABI) of the Linux OS. /// /// - public static string FileTargetPath = nameof(FileTargetPath); + public static string ElfHeaderOsAbi = nameof(ElfHeaderOsAbi); /// - /// file.type - /// File type (file, dir, or symlink). - /// file + /// elf.header.type + /// Header type of the ELF file. + /// /// - public static string FileType = nameof(FileType); + public static string ElfHeaderType = nameof(ElfHeaderType); /// - /// file.uid - /// The user ID (UID) or security identifier (SID) of the file owner. - /// 1001 + /// elf.header.version + /// Version of the ELF header. + /// /// - public static string FileUid = nameof(FileUid); + public static string ElfHeaderVersion = nameof(ElfHeaderVersion); /// - /// geo.city_name - /// City name. - /// Montreal + /// elf.import_hash + /// A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is an ELF implementation of the Windows PE imphash. + /// d41d8cd98f00b204e9800998ecf8427e /// - public static string GeoCityName = nameof(GeoCityName); + public static string ElfImportHash = nameof(ElfImportHash); /// - /// geo.continent_code - /// Two-letter code representing continent's name. - /// NA + /// elf.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string GeoContinentCode = nameof(GeoContinentCode); + public static string ElfImportsNamesEntropy = nameof(ElfImportsNamesEntropy); /// - /// geo.continent_name - /// Name of the continent. - /// North America + /// elf.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string GeoContinentName = nameof(GeoContinentName); + public static string ElfImportsNamesVarEntropy = nameof(ElfImportsNamesVarEntropy); /// - /// geo.country_iso_code - /// Country ISO code. - /// CA + /// elf.telfhash + /// telfhash symbol hash for ELF file. + /// /// - public static string GeoCountryIsoCode = nameof(GeoCountryIsoCode); + public static string ElfTelfhash = nameof(ElfTelfhash); /// - /// geo.country_name - /// Country name. - /// Canada + /// email.content_type + /// Information about how the message is to be displayed. + /// Typically a MIME type. + /// text/plain /// - public static string GeoCountryName = nameof(GeoCountryName); + public static string EmailContentType = nameof(EmailContentType); /// - /// geo.name - /// User-defined description of a location, at the level of granularity they care about. - /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - /// Not typically used in automated geolocation. - /// boston-dc - /// - public static string GeoName = nameof(GeoName); - /// - /// geo.postal_code - /// Postal code associated with the location. - /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - /// 94040 + /// email.delivery_timestamp + /// The date and time when the email message was received by the service or client. + /// 11/10/2020 10:12:34 PM /// - public static string GeoPostalCode = nameof(GeoPostalCode); + public static string EmailDeliveryTimestamp = nameof(EmailDeliveryTimestamp); /// - /// geo.region_iso_code - /// Region ISO code. - /// CA-QC + /// email.direction + /// The direction of the message based on the sending and receiving domains. + /// inbound /// - public static string GeoRegionIsoCode = nameof(GeoRegionIsoCode); + public static string EmailDirection = nameof(EmailDirection); /// - /// geo.region_name - /// Region name. - /// Quebec + /// email.local_id + /// Unique identifier given to the email by the source that created the event. + /// Identifier is not persistent across hops. + /// c26dbea0-80d5-463b-b93c-4e8b708219ce /// - public static string GeoRegionName = nameof(GeoRegionName); + public static string EmailLocalId = nameof(EmailLocalId); /// - /// geo.timezone - /// The time zone of the location, such as IANA time zone name. - /// America/Argentina/Buenos_Aires + /// email.message_id + /// Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. + /// 81ce15$8r2j59@mail01.example.com /// - public static string GeoTimezone = nameof(GeoTimezone); + public static string EmailMessageId = nameof(EmailMessageId); /// - /// group.domain - /// Name of the directory the group is a member of. - /// For example, an LDAP or Active Directory domain name. - /// + /// email.origination_timestamp + /// The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. + /// 11/10/2020 10:12:34 PM /// - public static string GroupDomain = nameof(GroupDomain); + public static string EmailOriginationTimestamp = nameof(EmailOriginationTimestamp); /// - /// group.id - /// Unique identifier for the group on the system/platform. + /// email.sender.address + /// Per RFC 5322, specifies the address responsible for the actual transmission of the message. /// /// - public static string GroupId = nameof(GroupId); + public static string EmailSenderAddress = nameof(EmailSenderAddress); /// - /// group.name - /// Name of the group. - /// + /// email.subject + /// A brief summary of the topic of the message. + /// Please see this important message. /// - public static string GroupName = nameof(GroupName); + public static string EmailSubject = nameof(EmailSubject); /// - /// hash.md5 - /// MD5 hash. - /// + /// email.x_mailer + /// The name of the application that was used to draft and send the original email message. + /// Spambot v2.5 /// - public static string HashMd5 = nameof(HashMd5); + public static string EmailXMailer = nameof(EmailXMailer); /// - /// hash.sha1 - /// SHA1 hash. + /// error.code + /// Error code describing the error. /// /// - public static string HashSha1 = nameof(HashSha1); + public static string ErrorCode = nameof(ErrorCode); /// - /// hash.sha256 - /// SHA256 hash. + /// error.id + /// Unique identifier for the error. /// /// - public static string HashSha256 = nameof(HashSha256); + public static string ErrorId = nameof(ErrorId); /// - /// hash.sha384 - /// SHA384 hash. + /// error.message + /// Error message. /// /// - public static string HashSha384 = nameof(HashSha384); + public static string ErrorMessage = nameof(ErrorMessage); /// - /// hash.sha512 - /// SHA512 hash. + /// error.stack_trace + /// The stack trace of this error in plain text. /// /// - public static string HashSha512 = nameof(HashSha512); + public static string ErrorStackTrace = nameof(ErrorStackTrace); /// - /// hash.ssdeep - /// SSDEEP hash. - /// + /// error.type + /// The type of the error, for example the class name of the exception. + /// java.lang.NullPointerException /// - public static string HashSsdeep = nameof(HashSsdeep); + public static string ErrorType = nameof(ErrorType); /// - /// hash.tlsh - /// TLSH hash. - /// + /// event.action + /// The action captured by the event. + /// This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + /// user-password-change /// - public static string HashTlsh = nameof(HashTlsh); + public static string EventAction = nameof(EventAction); /// - /// host.architecture - /// Operating system architecture. - /// x86_64 + /// event.agent_id_status + /// Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. + /// For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. + /// If no validation is performed then the field should be omitted. + /// The allowed values are: + /// `verified` - The `agent.id` field value matches expected value obtained from auth metadata. + /// `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. + /// `missing` - There was no `agent.id` field in the event to validate. + /// `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. + /// verified /// - public static string HostArchitecture = nameof(HostArchitecture); + public static string EventAgentIdStatus = nameof(EventAgentIdStatus); /// - /// host.boot.id - /// Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. - ///
This field is beta and subject to change. - /// 88a1f0ed-5ae5-41ee-af6b-41921c311872 + /// event.code + /// Identification code for this event, if one exists. + /// Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + /// 4648 /// - public static string HostBootId = nameof(HostBootId); + public static string EventCode = nameof(EventCode); /// - /// host.cpu.usage - /// Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. - /// Scaling factor: 1000. - /// For example: For a two core host, this value should be the average of the two cores, between 0 and 1. - /// + /// event.created + /// `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. + /// This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. + /// In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + /// In case the two timestamps are identical, `@timestamp` should be used. + /// 5/23/2016 8:05:34 AM /// - public static string HostCpuUsage = nameof(HostCpuUsage); + public static string EventCreated = nameof(EventCreated); /// - /// host.disk.read.bytes - /// The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. - /// + /// event.dataset + /// Name of the dataset. + /// If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + /// It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + /// apache.access /// - public static string HostDiskReadBytes = nameof(HostDiskReadBytes); + public static string EventDataset = nameof(EventDataset); /// - /// host.disk.write.bytes - /// The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. + /// event.duration + /// Duration of the event in nanoseconds. + /// If `event.start` and `event.end` are known this value should be the difference between the end and start time. /// /// - public static string HostDiskWriteBytes = nameof(HostDiskWriteBytes); - /// - /// host.domain - /// Name of the domain of which the host is a member. - /// For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - /// CONTOSO - /// - public static string HostDomain = nameof(HostDomain); + public static string EventDuration = nameof(EventDuration); /// - /// host.hostname - /// Hostname of the host. - /// It normally contains what the `hostname` command returns on the host machine. + /// event.end + /// `event.end` contains the date when the event ended or when the activity was last observed. /// /// - public static string HostHostname = nameof(HostHostname); + public static string EventEnd = nameof(EventEnd); /// - /// host.id - /// Unique host id. - /// As hostname is not always unique, use values that are meaningful in your environment. - /// Example: The current usage of `beat.name`. - /// + /// event.hash + /// Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + /// 123456789012345678901234567890ABCD /// - public static string HostId = nameof(HostId); + public static string EventHash = nameof(EventHash); /// - /// host.name - /// Name of the host. - /// It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. - /// + /// event.id + /// Unique ID to describe the event. + /// 8a4f500d /// - public static string HostName = nameof(HostName); + public static string EventId = nameof(EventId); /// - /// host.network.egress.bytes - /// The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. - /// + /// event.ingested + /// Timestamp when an event arrived in the central data store. + /// This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + /// In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + /// 5/23/2016 8:05:35 AM /// - public static string HostNetworkEgressBytes = nameof(HostNetworkEgressBytes); + public static string EventIngested = nameof(EventIngested); /// - /// host.network.egress.packets - /// The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. - /// + /// event.kind + /// This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + /// `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + /// The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. + ///
Allowed Values: + /// + /// ValueDescription + /// alertThis value indicates an event such as an alert or notable event, triggered by a detection rule executing externally to the Elastic Stack. + /// `event.kind:alert` is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and so on. + /// This value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework. + /// assetThis value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system. + /// Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider APIs. + /// This value is used by Elastic Security for asset management solutions. `event.kind: asset` is not used for normal system events or logs that are coming from an asset/entity, nor is it used for system events or logs coming from a directory or CMDB system. + /// enrichmentThe `enrichment` value indicates an event collected to provide additional context, often to other events. + /// An example is collecting indicators of compromise (IOCs) from a threat intelligence provider with the intent to use those values to enrich other events. The IOC events from the intelligence provider should be categorized as `event.kind:enrichment`. + /// eventThis value is the most general and most common value for this field. It is used to represent events that indicate that something happened. + /// metricThis value is used to indicate that this event describes a numeric measurement taken at given point in time. + /// Examples include CPU utilization, memory usage, or device temperature. + /// Metric events are often collected on a predictable frequency, such as once every few seconds, or once a minute, but can also be used to describe ad-hoc numeric metric queries. + /// stateThe state value is similar to metric, indicating that this event describes a measurement taken at given point in time, except that the measurement does not result in a numeric value, but rather one of a fixed set of categorical values that represent conditions or states. + /// Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), the state of a TCP connection (open, closed, fin_wait, etc.), the state of a host with respect to a software vulnerability (vulnerable, not vulnerable), and the state of a system regarding compliance with a regulatory standard (compliant, not compliant). + /// Note that an event that describes a change of state would not use `event.kind:state`, but instead would use 'event.kind:event' since a state change fits the more general event definition of something that happened. + /// State events are often collected on a predictable frequency, such as once every few seconds, once a minute, once an hour, or once a day, but can also be used to describe ad-hoc state queries. + /// pipeline_errorThis value indicates that an error occurred during the ingestion of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors. + /// signalThis value is used by Elastic solutions (e.g., Security, Observability) for alert documents that are created by rules executing within the Kibana alerting framework. + /// Usage of this value is reserved, and data ingestion pipelines must not populate `event.kind` with the value "signal". + /// + /// alert /// - public static string HostNetworkEgressPackets = nameof(HostNetworkEgressPackets); + public static string EventKind = nameof(EventKind); /// - /// host.network.ingress.bytes - /// The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. - /// + /// event.module + /// Name of the module this data is coming from. + /// If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. + /// apache /// - public static string HostNetworkIngressBytes = nameof(HostNetworkIngressBytes); + public static string EventModule = nameof(EventModule); /// - /// host.network.ingress.packets - /// The number of packets (gauge) received on all network interfaces by the host since the last metric collection. - /// + /// event.original + /// Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + /// This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + ///
Stored but not available for search in Elasticsearch by default + /// Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + /// + public static string EventOriginal = nameof(EventOriginal); + /// + /// event.outcome + /// This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + /// `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + /// Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + /// Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + /// Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + ///
Allowed Values: + /// + /// ValueDescription + /// failureIndicates that this event describes a failed result. A common example is `event.category:file AND event.type:access AND event.outcome:failure` to indicate that a file access was attempted, but was not successful. + /// successIndicates that this event describes a successful result. A common example is `event.category:file AND event.type:create AND event.outcome:success` to indicate that a file was successfully created. + /// unknownIndicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated. + /// + /// success + /// + public static string EventOutcome = nameof(EventOutcome); + /// + /// event.provider + /// Source of the event. + /// Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + /// kernel + /// + public static string EventProvider = nameof(EventProvider); + /// + /// event.reason + /// Reason why this event happened, according to the source. + /// This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + /// Terminated an unexpected process + /// + public static string EventReason = nameof(EventReason); + /// + /// event.reference + /// Reference URL linking to additional information about this event. + /// This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + /// https://system.example.com/event/#0001234 + /// + public static string EventReference = nameof(EventReference); + /// + /// event.risk_score + /// Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + /// + /// + public static string EventRiskScore = nameof(EventRiskScore); + /// + /// event.risk_score_norm + /// Normalized risk score or priority of the event, on a scale of 0 to 100. + /// This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + /// + /// + public static string EventRiskScoreNorm = nameof(EventRiskScoreNorm); + /// + /// event.sequence + /// Sequence number of the event. + /// The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + /// + /// + public static string EventSequence = nameof(EventSequence); + /// + /// event.severity + /// The numeric severity of the event according to your event source. + /// What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + /// The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + /// 7 + /// + public static string EventSeverity = nameof(EventSeverity); + /// + /// event.start + /// `event.start` contains the date when the event started or when the activity was first observed. + /// + /// + public static string EventStart = nameof(EventStart); + /// + /// event.timezone + /// This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + /// Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + /// + /// + public static string EventTimezone = nameof(EventTimezone); + /// + /// event.url + /// URL linking to an external system to continue investigation of this event. + /// This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + /// https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + /// + public static string EventUrl = nameof(EventUrl); + /// + /// faas.coldstart + /// Boolean value indicating a cold start of a function. + /// + /// + public static string FaasColdstart = nameof(FaasColdstart); + /// + /// faas.execution + /// The execution ID of the current function execution. + /// af9d5aa4-a685-4c5f-a22b-444f80b3cc28 + /// + public static string FaasExecution = nameof(FaasExecution); + /// + /// faas.id + /// The unique identifier of a serverless function. + /// For AWS Lambda it's the function ARN (Amazon Resource Name) without a version or alias suffix. + /// arn:aws:lambda:us-west-2:123456789012:function:my-function + /// + public static string FaasId = nameof(FaasId); + /// + /// faas.name + /// The name of a serverless function. + /// my-function + /// + public static string FaasName = nameof(FaasName); + /// + /// faas.trigger.request_id + /// The ID of the trigger request , message, event, etc. + /// 123456789 + /// + public static string FaasTriggerRequestId = nameof(FaasTriggerRequestId); + /// + /// faas.trigger.type + /// The trigger for the function execution. + ///
Expected Values: + /// + /// http + /// pubsub + /// datasource + /// timer + /// other + /// + /// http + /// + public static string FaasTriggerType = nameof(FaasTriggerType); + /// + /// faas.version + /// The version of a serverless function. + /// 123 + /// + public static string FaasVersion = nameof(FaasVersion); + /// + /// file.accessed + /// Last time the file was accessed. + /// Note that not all filesystems keep track of access time. + /// + /// + public static string FileAccessed = nameof(FileAccessed); + /// + /// file.created + /// File creation time. + /// Note that not all filesystems store the creation time. + /// + /// + public static string FileCreated = nameof(FileCreated); + /// + /// file.ctime + /// Last time the file attributes or metadata changed. + /// Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + /// + /// + public static string FileCtime = nameof(FileCtime); + /// + /// file.device + /// Device that is the source of the file. + /// sda + /// + public static string FileDevice = nameof(FileDevice); + /// + /// file.directory + /// Directory where the file is located. It should include the drive letter, when appropriate. + /// /home/alice + /// + public static string FileDirectory = nameof(FileDirectory); + /// + /// file.drive_letter + /// Drive letter where the file is located. This field is only relevant on Windows. + /// The value should be uppercase, and not include the colon. + /// C + /// + public static string FileDriveLetter = nameof(FileDriveLetter); + /// + /// file.extension + /// File extension, excluding the leading dot. + /// Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + /// png + /// + public static string FileExtension = nameof(FileExtension); + /// + /// file.fork_name + /// A fork is additional data associated with a filesystem object. + /// On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. + /// On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + /// Zone.Identifer + /// + public static string FileForkName = nameof(FileForkName); + /// + /// file.gid + /// Primary group ID (GID) of the file. + /// 1001 + /// + public static string FileGid = nameof(FileGid); + /// + /// file.group + /// Primary group name of the file. + /// alice + /// + public static string FileGroup = nameof(FileGroup); + /// + /// file.inode + /// Inode representing the file in the filesystem. + /// 256383 + /// + public static string FileInode = nameof(FileInode); + /// + /// file.mime_type + /// MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + /// + /// + public static string FileMimeType = nameof(FileMimeType); + /// + /// file.mode + /// Mode of the file in octal representation. + /// 0640 + /// + public static string FileMode = nameof(FileMode); + /// + /// file.mtime + /// Last time the file content was modified. + /// + /// + public static string FileMtime = nameof(FileMtime); + /// + /// file.name + /// Name of the file including the extension, without the directory. + /// example.png + /// + public static string FileName = nameof(FileName); + /// + /// file.owner + /// File owner's username. + /// alice + /// + public static string FileOwner = nameof(FileOwner); + /// + /// file.path + /// Full path to the file, including the file name. It should include the drive letter, when appropriate. + /// /home/alice/example.png + /// + public static string FilePath = nameof(FilePath); + /// + /// file.size + /// File size in bytes. + /// Only relevant when `file.type` is "file". + /// 16384 + /// + public static string FileSize = nameof(FileSize); + /// + /// file.target_path + /// Target path for symlinks. + /// + /// + public static string FileTargetPath = nameof(FileTargetPath); + /// + /// file.type + /// File type (file, dir, or symlink). + /// file + /// + public static string FileType = nameof(FileType); + /// + /// file.uid + /// The user ID (UID) or security identifier (SID) of the file owner. + /// 1001 + /// + public static string FileUid = nameof(FileUid); + /// + /// file.hash.md5 + /// MD5 hash. + /// + /// + public static string FileHashMd5 = nameof(FileHashMd5); + /// + /// file.hash.sha1 + /// SHA1 hash. + /// + /// + public static string FileHashSha1 = nameof(FileHashSha1); + /// + /// file.hash.sha256 + /// SHA256 hash. + /// + /// + public static string FileHashSha256 = nameof(FileHashSha256); + /// + /// file.hash.sha384 + /// SHA384 hash. + /// + /// + public static string FileHashSha384 = nameof(FileHashSha384); + /// + /// file.hash.sha512 + /// SHA512 hash. + /// + /// + public static string FileHashSha512 = nameof(FileHashSha512); + /// + /// file.hash.ssdeep + /// SSDEEP hash. + /// + /// + public static string FileHashSsdeep = nameof(FileHashSsdeep); + /// + /// file.hash.tlsh + /// TLSH hash. + /// + /// + public static string FileHashTlsh = nameof(FileHashTlsh); + /// + /// file.pe.architecture + /// CPU architecture target for the file. + /// x64 + /// + public static string FilePeArchitecture = nameof(FilePeArchitecture); + /// + /// file.pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation + /// + public static string FilePeCompany = nameof(FilePeCompany); + /// + /// file.pe.description + /// Internal description of the file, provided at compile-time. + /// Paint + /// + public static string FilePeDescription = nameof(FilePeDescription); + /// + /// file.pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 + /// + public static string FilePeFileVersion = nameof(FilePeFileVersion); + /// + /// file.pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string FilePeGoImportHash = nameof(FilePeGoImportHash); + /// + /// file.pe.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string FilePeGoImports = nameof(FilePeGoImports); + /// + /// file.pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string FilePeGoImportsNamesEntropy = nameof(FilePeGoImportsNamesEntropy); + /// + /// file.pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string FilePeGoImportsNamesVarEntropy = nameof(FilePeGoImportsNamesVarEntropy); + /// + /// file.pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string FilePeGoStripped = nameof(FilePeGoStripped); + /// + /// file.pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf + /// + public static string FilePeImphash = nameof(FilePeImphash); + /// + /// file.pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string FilePeImportHash = nameof(FilePeImportHash); + /// + /// file.pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string FilePeImportsNamesEntropy = nameof(FilePeImportsNamesEntropy); + /// + /// file.pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string FilePeImportsNamesVarEntropy = nameof(FilePeImportsNamesVarEntropy); + /// + /// file.pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE + /// + public static string FilePeOriginalFileName = nameof(FilePeOriginalFileName); + /// + /// file.pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 + /// + public static string FilePePehash = nameof(FilePePehash); + /// + /// file.pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System + /// + public static string FilePeProduct = nameof(FilePeProduct); + /// + /// file.x509.issuer.distinguished_name + /// Distinguished name (DN) of issuing certificate authority. + /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + /// + public static string FileX509IssuerDistinguishedName = nameof(FileX509IssuerDistinguishedName); + /// + /// file.x509.not_after + /// Time at which the certificate is no longer considered valid. + /// 7/16/2020 3:15:39 AM + /// + public static string FileX509NotAfter = nameof(FileX509NotAfter); + /// + /// file.x509.not_before + /// Time at which the certificate is first considered valid. + /// 8/16/2019 1:40:25 AM + /// + public static string FileX509NotBefore = nameof(FileX509NotBefore); + /// + /// file.x509.public_key_algorithm + /// Algorithm used to generate the public key. + /// RSA + /// + public static string FileX509PublicKeyAlgorithm = nameof(FileX509PublicKeyAlgorithm); + /// + /// file.x509.public_key_curve + /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. + /// nistp521 + /// + public static string FileX509PublicKeyCurve = nameof(FileX509PublicKeyCurve); + /// + /// file.x509.public_key_exponent + /// Exponent used to derive the public key. This is algorithm specific. + ///
Stored but not available for search in Elasticsearch by default + /// 65537 + /// + public static string FileX509PublicKeyExponent = nameof(FileX509PublicKeyExponent); + /// + /// file.x509.public_key_size + /// The size of the public key space in bits. + /// 2048 + /// + public static string FileX509PublicKeySize = nameof(FileX509PublicKeySize); + /// + /// file.x509.serial_number + /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + /// 55FBB9C7DEBF09809D12CCAA + /// + public static string FileX509SerialNumber = nameof(FileX509SerialNumber); + /// + /// file.x509.signature_algorithm + /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + /// SHA256-RSA + /// + public static string FileX509SignatureAlgorithm = nameof(FileX509SignatureAlgorithm); + /// + /// file.x509.subject.distinguished_name + /// Distinguished name (DN) of the certificate subject entity. + /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + /// + public static string FileX509SubjectDistinguishedName = nameof(FileX509SubjectDistinguishedName); + /// + /// file.x509.version_number + /// Version of x509 format. + /// 3 + /// + public static string FileX509VersionNumber = nameof(FileX509VersionNumber); + /// + /// file.code_signature.digest_algorithm + /// The hashing algorithm used to sign the process. + /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + /// sha256 + /// + public static string FileCodeSignatureDigestAlgorithm = nameof(FileCodeSignatureDigestAlgorithm); + /// + /// file.code_signature.exists + /// Boolean to capture if a signature is present. + /// true + /// + public static string FileCodeSignatureExists = nameof(FileCodeSignatureExists); + /// + /// file.code_signature.signing_id + /// The identifier used to sign the process. + /// This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + /// com.apple.xpc.proxy + /// + public static string FileCodeSignatureSigningId = nameof(FileCodeSignatureSigningId); + /// + /// file.code_signature.status + /// Additional information about the certificate status. + /// This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + /// ERROR_UNTRUSTED_ROOT + /// + public static string FileCodeSignatureStatus = nameof(FileCodeSignatureStatus); + /// + /// file.code_signature.subject_name + /// Subject name of the code signer + /// Microsoft Corporation + /// + public static string FileCodeSignatureSubjectName = nameof(FileCodeSignatureSubjectName); + /// + /// file.code_signature.team_id + /// The team identifier used to sign the process. + /// This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + /// EQHXZ8M8AV + /// + public static string FileCodeSignatureTeamId = nameof(FileCodeSignatureTeamId); + /// + /// file.code_signature.timestamp + /// Date and time when the code signature was generated and signed. + /// 1/1/2021 12:10:30 PM + /// + public static string FileCodeSignatureTimestamp = nameof(FileCodeSignatureTimestamp); + /// + /// file.code_signature.trusted + /// Stores the trust status of the certificate chain. + /// Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + /// true + /// + public static string FileCodeSignatureTrusted = nameof(FileCodeSignatureTrusted); + /// + /// file.code_signature.valid + /// Boolean to capture if the digital signature is verified against the binary content. + /// Leave unpopulated if a certificate was unchecked. + /// true + /// + public static string FileCodeSignatureValid = nameof(FileCodeSignatureValid); + /// + /// file.elf.architecture + /// Machine architecture of the ELF file. + /// x86-64 + /// + public static string FileElfArchitecture = nameof(FileElfArchitecture); + /// + /// file.elf.byte_order + /// Byte sequence of ELF file. + /// Little Endian + /// + public static string FileElfByteOrder = nameof(FileElfByteOrder); + /// + /// file.elf.cpu_type + /// CPU type of the ELF file. + /// Intel + /// + public static string FileElfCpuType = nameof(FileElfCpuType); + /// + /// file.elf.creation_date + /// Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + /// + /// + public static string FileElfCreationDate = nameof(FileElfCreationDate); + /// + /// file.elf.go_import_hash + /// A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string FileElfGoImportHash = nameof(FileElfGoImportHash); + /// + /// file.elf.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string FileElfGoImports = nameof(FileElfGoImports); + /// + /// file.elf.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string FileElfGoImportsNamesEntropy = nameof(FileElfGoImportsNamesEntropy); + /// + /// file.elf.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string FileElfGoImportsNamesVarEntropy = nameof(FileElfGoImportsNamesVarEntropy); + /// + /// file.elf.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string FileElfGoStripped = nameof(FileElfGoStripped); + /// + /// file.elf.header.abi_version + /// Version of the ELF Application Binary Interface (ABI). + /// + /// + public static string FileElfHeaderAbiVersion = nameof(FileElfHeaderAbiVersion); + /// + /// file.elf.header.class + /// Header class of the ELF file. + /// + /// + public static string FileElfHeaderClass = nameof(FileElfHeaderClass); + /// + /// file.elf.header.data + /// Data table of the ELF header. + /// + /// + public static string FileElfHeaderData = nameof(FileElfHeaderData); + /// + /// file.elf.header.entrypoint + /// Header entrypoint of the ELF file. + /// + /// + public static string FileElfHeaderEntrypoint = nameof(FileElfHeaderEntrypoint); + /// + /// file.elf.header.object_version + /// "0x1" for original ELF files. + /// + /// + public static string FileElfHeaderObjectVersion = nameof(FileElfHeaderObjectVersion); + /// + /// file.elf.header.os_abi + /// Application Binary Interface (ABI) of the Linux OS. + /// + /// + public static string FileElfHeaderOsAbi = nameof(FileElfHeaderOsAbi); + /// + /// file.elf.header.type + /// Header type of the ELF file. + /// + /// + public static string FileElfHeaderType = nameof(FileElfHeaderType); + /// + /// file.elf.header.version + /// Version of the ELF header. + /// + /// + public static string FileElfHeaderVersion = nameof(FileElfHeaderVersion); + /// + /// file.elf.import_hash + /// A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is an ELF implementation of the Windows PE imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string FileElfImportHash = nameof(FileElfImportHash); + /// + /// file.elf.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string FileElfImportsNamesEntropy = nameof(FileElfImportsNamesEntropy); + /// + /// file.elf.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string FileElfImportsNamesVarEntropy = nameof(FileElfImportsNamesVarEntropy); + /// + /// file.elf.telfhash + /// telfhash symbol hash for ELF file. + /// + /// + public static string FileElfTelfhash = nameof(FileElfTelfhash); + /// + /// file.macho.go_import_hash + /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string FileMachoGoImportHash = nameof(FileMachoGoImportHash); + /// + /// file.macho.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string FileMachoGoImports = nameof(FileMachoGoImports); + /// + /// file.macho.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string FileMachoGoImportsNamesEntropy = nameof(FileMachoGoImportsNamesEntropy); + /// + /// file.macho.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string FileMachoGoImportsNamesVarEntropy = nameof(FileMachoGoImportsNamesVarEntropy); + /// + /// file.macho.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string FileMachoGoStripped = nameof(FileMachoGoStripped); + /// + /// file.macho.import_hash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for symhash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string FileMachoImportHash = nameof(FileMachoImportHash); + /// + /// file.macho.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string FileMachoImportsNamesEntropy = nameof(FileMachoImportsNamesEntropy); + /// + /// file.macho.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string FileMachoImportsNamesVarEntropy = nameof(FileMachoImportsNamesVarEntropy); + /// + /// file.macho.symhash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a Mach-O implementation of the Windows PE imphash + /// d3ccf195b62a9279c3c19af1080497ec + /// + public static string FileMachoSymhash = nameof(FileMachoSymhash); + /// + /// geo.city_name + /// City name. + /// Montreal + /// + public static string GeoCityName = nameof(GeoCityName); + /// + /// geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string GeoContinentCode = nameof(GeoContinentCode); + /// + /// geo.continent_name + /// Name of the continent. + /// North America + /// + public static string GeoContinentName = nameof(GeoContinentName); + /// + /// geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string GeoCountryIsoCode = nameof(GeoCountryIsoCode); + /// + /// geo.country_name + /// Country name. + /// Canada + /// + public static string GeoCountryName = nameof(GeoCountryName); + /// + /// geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string GeoName = nameof(GeoName); + /// + /// geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string GeoPostalCode = nameof(GeoPostalCode); + /// + /// geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string GeoRegionIsoCode = nameof(GeoRegionIsoCode); + /// + /// geo.region_name + /// Region name. + /// Quebec + /// + public static string GeoRegionName = nameof(GeoRegionName); + /// + /// geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string GeoTimezone = nameof(GeoTimezone); + /// + /// group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string GroupDomain = nameof(GroupDomain); + /// + /// group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string GroupId = nameof(GroupId); + /// + /// group.name + /// Name of the group. + /// + /// + public static string GroupName = nameof(GroupName); + /// + /// hash.md5 + /// MD5 hash. + /// + /// + public static string HashMd5 = nameof(HashMd5); + /// + /// hash.sha1 + /// SHA1 hash. + /// + /// + public static string HashSha1 = nameof(HashSha1); + /// + /// hash.sha256 + /// SHA256 hash. + /// + /// + public static string HashSha256 = nameof(HashSha256); + /// + /// hash.sha384 + /// SHA384 hash. + /// + /// + public static string HashSha384 = nameof(HashSha384); + /// + /// hash.sha512 + /// SHA512 hash. + /// + /// + public static string HashSha512 = nameof(HashSha512); + /// + /// hash.ssdeep + /// SSDEEP hash. + /// + /// + public static string HashSsdeep = nameof(HashSsdeep); + /// + /// hash.tlsh + /// TLSH hash. + /// + /// + public static string HashTlsh = nameof(HashTlsh); + /// + /// host.architecture + /// Operating system architecture. + /// x86_64 + /// + public static string HostArchitecture = nameof(HostArchitecture); + /// + /// host.boot.id + /// Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. + ///
This field is beta and subject to change. + /// 88a1f0ed-5ae5-41ee-af6b-41921c311872 + /// + public static string HostBootId = nameof(HostBootId); + /// + /// host.cpu.usage + /// Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. + /// Scaling factor: 1000. + /// For example: For a two core host, this value should be the average of the two cores, between 0 and 1. + /// + /// + public static string HostCpuUsage = nameof(HostCpuUsage); + /// + /// host.disk.read.bytes + /// The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. + /// + /// + public static string HostDiskReadBytes = nameof(HostDiskReadBytes); + /// + /// host.disk.write.bytes + /// The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. + /// + /// + public static string HostDiskWriteBytes = nameof(HostDiskWriteBytes); + /// + /// host.domain + /// Name of the domain of which the host is a member. + /// For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + /// CONTOSO + /// + public static string HostDomain = nameof(HostDomain); + /// + /// host.hostname + /// Hostname of the host. + /// It normally contains what the `hostname` command returns on the host machine. + /// + /// + public static string HostHostname = nameof(HostHostname); + /// + /// host.id + /// Unique host id. + /// As hostname is not always unique, use values that are meaningful in your environment. + /// Example: The current usage of `beat.name`. + /// + /// + public static string HostId = nameof(HostId); + /// + /// host.name + /// Name of the host. + /// It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. + /// + /// + public static string HostName = nameof(HostName); + /// + /// host.network.egress.bytes + /// The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. + /// + /// + public static string HostNetworkEgressBytes = nameof(HostNetworkEgressBytes); + /// + /// host.network.egress.packets + /// The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. + /// + /// + public static string HostNetworkEgressPackets = nameof(HostNetworkEgressPackets); + /// + /// host.network.ingress.bytes + /// The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. + /// + /// + public static string HostNetworkIngressBytes = nameof(HostNetworkIngressBytes); + /// + /// host.network.ingress.packets + /// The number of packets (gauge) received on all network interfaces by the host since the last metric collection. + /// /// public static string HostNetworkIngressPackets = nameof(HostNetworkIngressPackets); /// - /// host.pid_ns_ino - /// This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. + /// host.pid_ns_ino + /// This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. + ///
This field is beta and subject to change. + /// 256383 + /// + public static string HostPidNsIno = nameof(HostPidNsIno); + /// + /// host.type + /// Type of host. + /// For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + /// + /// + public static string HostType = nameof(HostType); + /// + /// host.uptime + /// Seconds the host has been up. + /// 1325 + /// + public static string HostUptime = nameof(HostUptime); + /// + /// host.geo.city_name + /// City name. + /// Montreal + /// + public static string HostGeoCityName = nameof(HostGeoCityName); + /// + /// host.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string HostGeoContinentCode = nameof(HostGeoContinentCode); + /// + /// host.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string HostGeoContinentName = nameof(HostGeoContinentName); + /// + /// host.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string HostGeoCountryIsoCode = nameof(HostGeoCountryIsoCode); + /// + /// host.geo.country_name + /// Country name. + /// Canada + /// + public static string HostGeoCountryName = nameof(HostGeoCountryName); + /// + /// host.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string HostGeoName = nameof(HostGeoName); + /// + /// host.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string HostGeoPostalCode = nameof(HostGeoPostalCode); + /// + /// host.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string HostGeoRegionIsoCode = nameof(HostGeoRegionIsoCode); + /// + /// host.geo.region_name + /// Region name. + /// Quebec + /// + public static string HostGeoRegionName = nameof(HostGeoRegionName); + /// + /// host.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string HostGeoTimezone = nameof(HostGeoTimezone); + /// + /// host.os.family + /// OS family (such as redhat, debian, freebsd, windows). + /// debian + /// + public static string HostOsFamily = nameof(HostOsFamily); + /// + /// host.os.full + /// Operating system name, including the version or code name. + /// Mac OS Mojave + /// + public static string HostOsFull = nameof(HostOsFull); + /// + /// host.os.kernel + /// Operating system kernel version as a raw string. + /// 4.4.0-112-generic + /// + public static string HostOsKernel = nameof(HostOsKernel); + /// + /// host.os.name + /// Operating system name, without the version. + /// Mac OS X + /// + public static string HostOsName = nameof(HostOsName); + /// + /// host.os.platform + /// Operating system platform (such centos, ubuntu, windows). + /// darwin + /// + public static string HostOsPlatform = nameof(HostOsPlatform); + /// + /// host.os.type + /// Use the `os.type` field to categorize the operating system into one of the broad commercial families. + /// If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + ///
Expected Values: + /// + /// linux + /// macos + /// unix + /// windows + /// ios + /// android + /// + /// macos + /// + public static string HostOsType = nameof(HostOsType); + /// + /// host.os.version + /// Operating system version as a raw string. + /// 10.14.1 + /// + public static string HostOsVersion = nameof(HostOsVersion); + /// + /// host.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string HostRiskCalculatedLevel = nameof(HostRiskCalculatedLevel); + /// + /// host.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string HostRiskCalculatedScore = nameof(HostRiskCalculatedScore); + /// + /// host.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string HostRiskCalculatedScoreNorm = nameof(HostRiskCalculatedScoreNorm); + /// + /// host.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string HostRiskStaticLevel = nameof(HostRiskStaticLevel); + /// + /// host.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string HostRiskStaticScore = nameof(HostRiskStaticScore); + /// + /// host.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string HostRiskStaticScoreNorm = nameof(HostRiskStaticScoreNorm); + /// + /// http.request.body.bytes + /// Size in bytes of the request body. + /// 887 + /// + public static string HttpRequestBodyBytes = nameof(HttpRequestBodyBytes); + /// + /// http.request.body.content + /// The full HTTP request body. + /// Hello world + /// + public static string HttpRequestBodyContent = nameof(HttpRequestBodyContent); + /// + /// http.request.bytes + /// Total size in bytes of the request (body and headers). + /// 1437 + /// + public static string HttpRequestBytes = nameof(HttpRequestBytes); + /// + /// http.request.id + /// A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. + /// The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. + /// 123e4567-e89b-12d3-a456-426614174000 + /// + public static string HttpRequestId = nameof(HttpRequestId); + /// + /// http.request.method + /// HTTP request method. + /// The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + /// POST + /// + public static string HttpRequestMethod = nameof(HttpRequestMethod); + /// + /// http.request.mime_type + /// Mime type of the body of the request. + /// This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. + /// image/gif + /// + public static string HttpRequestMimeType = nameof(HttpRequestMimeType); + /// + /// http.request.referrer + /// Referrer for this HTTP request. + /// https://blog.example.com/ + /// + public static string HttpRequestReferrer = nameof(HttpRequestReferrer); + /// + /// http.response.body.bytes + /// Size in bytes of the response body. + /// 887 + /// + public static string HttpResponseBodyBytes = nameof(HttpResponseBodyBytes); + /// + /// http.response.body.content + /// The full HTTP response body. + /// Hello world + /// + public static string HttpResponseBodyContent = nameof(HttpResponseBodyContent); + /// + /// http.response.bytes + /// Total size in bytes of the response (body and headers). + /// 1437 + /// + public static string HttpResponseBytes = nameof(HttpResponseBytes); + /// + /// http.response.mime_type + /// Mime type of the body of the response. + /// This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. + /// image/gif + /// + public static string HttpResponseMimeType = nameof(HttpResponseMimeType); + /// + /// http.response.status_code + /// HTTP response status code. + /// 404 + /// + public static string HttpResponseStatusCode = nameof(HttpResponseStatusCode); + /// + /// http.version + /// HTTP version. + /// 1.1 + /// + public static string HttpVersion = nameof(HttpVersion); + /// + /// interface.alias + /// Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + /// outside + /// + public static string InterfaceAlias = nameof(InterfaceAlias); + /// + /// interface.id + /// Interface ID as reported by an observer (typically SNMP interface ID). + /// 10 + /// + public static string InterfaceId = nameof(InterfaceId); + /// + /// interface.name + /// Interface name as reported by the system. + /// eth0 + /// + public static string InterfaceName = nameof(InterfaceName); + /// + /// log.file.path + /// Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + /// If the event wasn't read from a log file, do not populate this field. + /// /var/log/fun-times.log + /// + public static string LogFilePath = nameof(LogFilePath); + /// + /// log.level + /// Original log level of the log event. + /// If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + /// Some examples are `warn`, `err`, `i`, `informational`. + /// error + /// + public static string LogLevel = nameof(LogLevel); + /// + /// log.logger + /// The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + /// org.elasticsearch.bootstrap.Bootstrap + /// + public static string LogLogger = nameof(LogLogger); + /// + /// log.origin.file.line + /// The line number of the file containing the source code which originated the log event. + /// 42 + /// + public static string LogOriginFileLine = nameof(LogOriginFileLine); + /// + /// log.origin.file.name + /// The name of the file containing the source code which originated the log event. + /// Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + /// Bootstrap.java + /// + public static string LogOriginFileName = nameof(LogOriginFileName); + /// + /// log.origin.function + /// The name of the function or method which originated the log event. + /// init + /// + public static string LogOriginFunction = nameof(LogOriginFunction); + /// + /// macho.go_import_hash + /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string MachoGoImportHash = nameof(MachoGoImportHash); + /// + /// macho.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string MachoGoImports = nameof(MachoGoImports); + /// + /// macho.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string MachoGoImportsNamesEntropy = nameof(MachoGoImportsNamesEntropy); + /// + /// macho.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string MachoGoImportsNamesVarEntropy = nameof(MachoGoImportsNamesVarEntropy); + /// + /// macho.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string MachoGoStripped = nameof(MachoGoStripped); + /// + /// macho.import_hash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for symhash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string MachoImportHash = nameof(MachoImportHash); + /// + /// macho.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string MachoImportsNamesEntropy = nameof(MachoImportsNamesEntropy); + /// + /// macho.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string MachoImportsNamesVarEntropy = nameof(MachoImportsNamesVarEntropy); + /// + /// macho.symhash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a Mach-O implementation of the Windows PE imphash + /// d3ccf195b62a9279c3c19af1080497ec + /// + public static string MachoSymhash = nameof(MachoSymhash); + /// + /// network.application + /// When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + /// For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + /// The field value must be normalized to lowercase for querying. + /// aim + /// + public static string NetworkApplication = nameof(NetworkApplication); + /// + /// network.bytes + /// Total bytes transferred in both directions. + /// If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + /// 368 + /// + public static string NetworkBytes = nameof(NetworkBytes); + /// + /// network.community_id + /// A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + /// Learn more at https://github.com/corelight/community-id-spec. + /// 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + /// + public static string NetworkCommunityId = nameof(NetworkCommunityId); + /// + /// network.direction + /// Direction of the network traffic. + /// When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + /// When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + /// Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + ///
Expected Values: + /// + /// ingress + /// egress + /// inbound + /// outbound + /// internal + /// external + /// unknown + /// + /// inbound + /// + public static string NetworkDirection = nameof(NetworkDirection); + /// + /// network.forwarded_ip + /// Host IP address when the source IP address is the proxy. + /// 192.1.1.2 + /// + public static string NetworkForwardedIp = nameof(NetworkForwardedIp); + /// + /// network.iana_number + /// IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + /// 6 + /// + public static string NetworkIanaNumber = nameof(NetworkIanaNumber); + /// + /// network.name + /// Name given by operators to sections of their network. + /// Guest Wifi + /// + public static string NetworkName = nameof(NetworkName); + /// + /// network.packets + /// Total packets transferred in both directions. + /// If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + /// 24 + /// + public static string NetworkPackets = nameof(NetworkPackets); + /// + /// network.protocol + /// In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + /// The field value must be normalized to lowercase for querying. + /// http + /// + public static string NetworkProtocol = nameof(NetworkProtocol); + /// + /// network.transport + /// Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + /// The field value must be normalized to lowercase for querying. + /// tcp + /// + public static string NetworkTransport = nameof(NetworkTransport); + /// + /// network.type + /// In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + /// The field value must be normalized to lowercase for querying. + /// ipv4 + /// + public static string NetworkType = nameof(NetworkType); + /// + /// network.vlan.id + /// VLAN ID as reported by the observer. + /// 10 + /// + public static string NetworkVlanId = nameof(NetworkVlanId); + /// + /// network.vlan.name + /// Optional VLAN name as reported by the observer. + /// outside + /// + public static string NetworkVlanName = nameof(NetworkVlanName); + /// + /// observer.hostname + /// Hostname of the observer. + /// + /// + public static string ObserverHostname = nameof(ObserverHostname); + /// + /// observer.name + /// Custom name of the observer. + /// This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + /// If no custom name is needed, the field can be left empty. + /// 1_proxySG + /// + public static string ObserverName = nameof(ObserverName); + /// + /// observer.product + /// The product name of the observer. + /// s200 + /// + public static string ObserverProduct = nameof(ObserverProduct); + /// + /// observer.serial_number + /// Observer serial number. + /// + /// + public static string ObserverSerialNumber = nameof(ObserverSerialNumber); + /// + /// observer.type + /// The type of the observer the data is coming from. + /// There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + /// firewall + /// + public static string ObserverType = nameof(ObserverType); + /// + /// observer.vendor + /// Vendor name of the observer. + /// Symantec + /// + public static string ObserverVendor = nameof(ObserverVendor); + /// + /// observer.version + /// Observer version. + /// + /// + public static string ObserverVersion = nameof(ObserverVersion); + /// + /// observer.geo.city_name + /// City name. + /// Montreal + /// + public static string ObserverGeoCityName = nameof(ObserverGeoCityName); + /// + /// observer.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string ObserverGeoContinentCode = nameof(ObserverGeoContinentCode); + /// + /// observer.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string ObserverGeoContinentName = nameof(ObserverGeoContinentName); + /// + /// observer.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string ObserverGeoCountryIsoCode = nameof(ObserverGeoCountryIsoCode); + /// + /// observer.geo.country_name + /// Country name. + /// Canada + /// + public static string ObserverGeoCountryName = nameof(ObserverGeoCountryName); + /// + /// observer.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string ObserverGeoName = nameof(ObserverGeoName); + /// + /// observer.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string ObserverGeoPostalCode = nameof(ObserverGeoPostalCode); + /// + /// observer.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string ObserverGeoRegionIsoCode = nameof(ObserverGeoRegionIsoCode); + /// + /// observer.geo.region_name + /// Region name. + /// Quebec + /// + public static string ObserverGeoRegionName = nameof(ObserverGeoRegionName); + /// + /// observer.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string ObserverGeoTimezone = nameof(ObserverGeoTimezone); + /// + /// observer.os.family + /// OS family (such as redhat, debian, freebsd, windows). + /// debian + /// + public static string ObserverOsFamily = nameof(ObserverOsFamily); + /// + /// observer.os.full + /// Operating system name, including the version or code name. + /// Mac OS Mojave + /// + public static string ObserverOsFull = nameof(ObserverOsFull); + /// + /// observer.os.kernel + /// Operating system kernel version as a raw string. + /// 4.4.0-112-generic + /// + public static string ObserverOsKernel = nameof(ObserverOsKernel); + /// + /// observer.os.name + /// Operating system name, without the version. + /// Mac OS X + /// + public static string ObserverOsName = nameof(ObserverOsName); + /// + /// observer.os.platform + /// Operating system platform (such centos, ubuntu, windows). + /// darwin + /// + public static string ObserverOsPlatform = nameof(ObserverOsPlatform); + /// + /// observer.os.type + /// Use the `os.type` field to categorize the operating system into one of the broad commercial families. + /// If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + ///
Expected Values: + /// + /// linux + /// macos + /// unix + /// windows + /// ios + /// android + /// + /// macos + /// + public static string ObserverOsType = nameof(ObserverOsType); + /// + /// observer.os.version + /// Operating system version as a raw string. + /// 10.14.1 + /// + public static string ObserverOsVersion = nameof(ObserverOsVersion); + /// + /// orchestrator.api_version + /// API version being used to carry out the action + /// v1beta1 + /// + public static string OrchestratorApiVersion = nameof(OrchestratorApiVersion); + /// + /// orchestrator.cluster.id + /// Unique ID of the cluster. + /// + /// + public static string OrchestratorClusterId = nameof(OrchestratorClusterId); + /// + /// orchestrator.cluster.name + /// Name of the cluster. + /// + /// + public static string OrchestratorClusterName = nameof(OrchestratorClusterName); + /// + /// orchestrator.cluster.url + /// URL of the API used to manage the cluster. + /// + /// + public static string OrchestratorClusterUrl = nameof(OrchestratorClusterUrl); + /// + /// orchestrator.cluster.version + /// The version of the cluster. + /// + /// + public static string OrchestratorClusterVersion = nameof(OrchestratorClusterVersion); + /// + /// orchestrator.namespace + /// Namespace in which the action is taking place. + /// kube-system + /// + public static string OrchestratorNamespace = nameof(OrchestratorNamespace); + /// + /// orchestrator.organization + /// Organization affected by the event (for multi-tenant orchestrator setups). + /// elastic + /// + public static string OrchestratorOrganization = nameof(OrchestratorOrganization); + /// + /// orchestrator.resource.id + /// Unique ID of the resource being acted upon. + /// + /// + public static string OrchestratorResourceId = nameof(OrchestratorResourceId); + /// + /// orchestrator.resource.name + /// Name of the resource being acted upon. + /// test-pod-cdcws + /// + public static string OrchestratorResourceName = nameof(OrchestratorResourceName); + /// + /// orchestrator.resource.parent.type + /// Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet). + /// DaemonSet + /// + public static string OrchestratorResourceParentType = nameof(OrchestratorResourceParentType); + /// + /// orchestrator.resource.type + /// Type of resource being acted upon. + /// service + /// + public static string OrchestratorResourceType = nameof(OrchestratorResourceType); + /// + /// orchestrator.type + /// Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). + /// kubernetes + /// + public static string OrchestratorType = nameof(OrchestratorType); + /// + /// organization.id + /// Unique identifier for the organization. + /// + /// + public static string OrganizationId = nameof(OrganizationId); + /// + /// organization.name + /// Organization name. + /// + /// + public static string OrganizationName = nameof(OrganizationName); + /// + /// os.family + /// OS family (such as redhat, debian, freebsd, windows). + /// debian + /// + public static string OsFamily = nameof(OsFamily); + /// + /// os.full + /// Operating system name, including the version or code name. + /// Mac OS Mojave + /// + public static string OsFull = nameof(OsFull); + /// + /// os.kernel + /// Operating system kernel version as a raw string. + /// 4.4.0-112-generic + /// + public static string OsKernel = nameof(OsKernel); + /// + /// os.name + /// Operating system name, without the version. + /// Mac OS X + /// + public static string OsName = nameof(OsName); + /// + /// os.platform + /// Operating system platform (such centos, ubuntu, windows). + /// darwin + /// + public static string OsPlatform = nameof(OsPlatform); + /// + /// os.type + /// Use the `os.type` field to categorize the operating system into one of the broad commercial families. + /// If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + ///
Expected Values: + /// + /// linux + /// macos + /// unix + /// windows + /// ios + /// android + /// + /// macos + /// + public static string OsType = nameof(OsType); + /// + /// os.version + /// Operating system version as a raw string. + /// 10.14.1 + /// + public static string OsVersion = nameof(OsVersion); + /// + /// package.architecture + /// Package architecture. + /// x86_64 + /// + public static string PackageArchitecture = nameof(PackageArchitecture); + /// + /// package.build_version + /// Additional information about the build version of the installed package. + /// For example use the commit SHA of a non-released package. + /// 36f4f7e89dd61b0988b12ee000b98966867710cd + /// + public static string PackageBuildVersion = nameof(PackageBuildVersion); + /// + /// package.checksum + /// Checksum of the installed package for verification. + /// 68b329da9893e34099c7d8ad5cb9c940 + /// + public static string PackageChecksum = nameof(PackageChecksum); + /// + /// package.description + /// Description of the package. + /// Open source programming language to build simple/reliable/efficient software. + /// + public static string PackageDescription = nameof(PackageDescription); + /// + /// package.install_scope + /// Indicating how the package was installed, e.g. user-local, global. + /// global + /// + public static string PackageInstallScope = nameof(PackageInstallScope); + /// + /// package.installed + /// Time when package was installed. + /// + /// + public static string PackageInstalled = nameof(PackageInstalled); + /// + /// package.license + /// License under which the package was released. + /// Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + /// Apache License 2.0 + /// + public static string PackageLicense = nameof(PackageLicense); + /// + /// package.name + /// Package name + /// go + /// + public static string PackageName = nameof(PackageName); + /// + /// package.path + /// Path where the package is installed. + /// /usr/local/Cellar/go/1.12.9/ + /// + public static string PackagePath = nameof(PackagePath); + /// + /// package.reference + /// Home page or reference URL of the software in this package, if available. + /// https://golang.org + /// + public static string PackageReference = nameof(PackageReference); + /// + /// package.size + /// Package size in bytes. + /// 62231 + /// + public static string PackageSize = nameof(PackageSize); + /// + /// package.type + /// Type of package. + /// This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + /// rpm + /// + public static string PackageType = nameof(PackageType); + /// + /// package.version + /// Package version + /// 1.12.9 + /// + public static string PackageVersion = nameof(PackageVersion); + /// + /// pe.architecture + /// CPU architecture target for the file. + /// x64 + /// + public static string PeArchitecture = nameof(PeArchitecture); + /// + /// pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation + /// + public static string PeCompany = nameof(PeCompany); + /// + /// pe.description + /// Internal description of the file, provided at compile-time. + /// Paint + /// + public static string PeDescription = nameof(PeDescription); + /// + /// pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 + /// + public static string PeFileVersion = nameof(PeFileVersion); + /// + /// pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string PeGoImportHash = nameof(PeGoImportHash); + /// + /// pe.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string PeGoImports = nameof(PeGoImports); + /// + /// pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string PeGoImportsNamesEntropy = nameof(PeGoImportsNamesEntropy); + /// + /// pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string PeGoImportsNamesVarEntropy = nameof(PeGoImportsNamesVarEntropy); + /// + /// pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string PeGoStripped = nameof(PeGoStripped); + /// + /// pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf + /// + public static string PeImphash = nameof(PeImphash); + /// + /// pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string PeImportHash = nameof(PeImportHash); + /// + /// pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string PeImportsNamesEntropy = nameof(PeImportsNamesEntropy); + /// + /// pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string PeImportsNamesVarEntropy = nameof(PeImportsNamesVarEntropy); + /// + /// pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE + /// + public static string PeOriginalFileName = nameof(PeOriginalFileName); + /// + /// pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 + /// + public static string PePehash = nameof(PePehash); + /// + /// pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System + /// + public static string PeProduct = nameof(PeProduct); + /// + /// process.args_count + /// Length of the process.args array. + /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + /// 4 + /// + public static string ProcessArgsCount = nameof(ProcessArgsCount); + /// + /// process.command_line + /// Full command line that started the process, including the absolute path to the executable, and all arguments. + /// Some arguments may be filtered to protect sensitive information. + /// /usr/bin/ssh -l user 10.0.0.16 + /// + public static string ProcessCommandLine = nameof(ProcessCommandLine); + /// + /// process.end + /// The time the process ended. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessEnd = nameof(ProcessEnd); + /// + /// process.entity_id + /// Unique identifier for the process. + /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + /// c2c455d9f99375d + /// + public static string ProcessEntityId = nameof(ProcessEntityId); + /// + /// process.executable + /// Absolute path to the process executable. + /// /usr/bin/ssh + /// + public static string ProcessExecutable = nameof(ProcessExecutable); + /// + /// process.exit_code + /// The exit code of the process, if this is a termination event. + /// The field should be absent if there is no exit code for the event (e.g. process start). + /// 137 + /// + public static string ProcessExitCode = nameof(ProcessExitCode); + /// + /// process.interactive + /// Whether the process is connected to an interactive shell. + /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + /// true + /// + public static string ProcessInteractive = nameof(ProcessInteractive); + /// + /// process.name + /// Process name. + /// Sometimes called program name or similar. + /// ssh + /// + public static string ProcessName = nameof(ProcessName); + /// + /// process.pgid + /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + /// Identifier of the group of processes the process belongs to. + /// + /// + public static string ProcessPgid = nameof(ProcessPgid); + /// + /// process.pid + /// Process id. + /// 4242 + /// + public static string ProcessPid = nameof(ProcessPid); + /// + /// process.start + /// The time the process started. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessStart = nameof(ProcessStart); + /// + /// process.thread.id + /// Thread ID. + /// 4242 + /// + public static string ProcessThreadId = nameof(ProcessThreadId); + /// + /// process.thread.name + /// Thread name. + /// thread-0 + /// + public static string ProcessThreadName = nameof(ProcessThreadName); + /// + /// process.title + /// Process title. + /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// + /// + public static string ProcessTitle = nameof(ProcessTitle); + /// + /// process.uptime + /// Seconds the process has been up. + /// 1325 + /// + public static string ProcessUptime = nameof(ProcessUptime); + /// + /// process.vpid + /// Virtual process id. + /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. + /// 4242 + /// + public static string ProcessVpid = nameof(ProcessVpid); + /// + /// process.working_directory + /// The working directory of the process. + /// /home/alice + /// + public static string ProcessWorkingDirectory = nameof(ProcessWorkingDirectory); + /// + /// process.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessGroupDomain = nameof(ProcessGroupDomain); + /// + /// process.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessGroupId = nameof(ProcessGroupId); + /// + /// process.group.name + /// Name of the group. + /// + /// + public static string ProcessGroupName = nameof(ProcessGroupName); + /// + /// process.hash.md5 + /// MD5 hash. + /// + /// + public static string ProcessHashMd5 = nameof(ProcessHashMd5); + /// + /// process.hash.sha1 + /// SHA1 hash. + /// + /// + public static string ProcessHashSha1 = nameof(ProcessHashSha1); + /// + /// process.hash.sha256 + /// SHA256 hash. + /// + /// + public static string ProcessHashSha256 = nameof(ProcessHashSha256); + /// + /// process.hash.sha384 + /// SHA384 hash. + /// + /// + public static string ProcessHashSha384 = nameof(ProcessHashSha384); + /// + /// process.hash.sha512 + /// SHA512 hash. + /// + /// + public static string ProcessHashSha512 = nameof(ProcessHashSha512); + /// + /// process.hash.ssdeep + /// SSDEEP hash. + /// + /// + public static string ProcessHashSsdeep = nameof(ProcessHashSsdeep); + /// + /// process.hash.tlsh + /// TLSH hash. + /// + /// + public static string ProcessHashTlsh = nameof(ProcessHashTlsh); + /// + /// process.pe.architecture + /// CPU architecture target for the file. + /// x64 + /// + public static string ProcessPeArchitecture = nameof(ProcessPeArchitecture); + /// + /// process.pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation + /// + public static string ProcessPeCompany = nameof(ProcessPeCompany); + /// + /// process.pe.description + /// Internal description of the file, provided at compile-time. + /// Paint + /// + public static string ProcessPeDescription = nameof(ProcessPeDescription); + /// + /// process.pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 + /// + public static string ProcessPeFileVersion = nameof(ProcessPeFileVersion); + /// + /// process.pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string ProcessPeGoImportHash = nameof(ProcessPeGoImportHash); + /// + /// process.pe.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string ProcessPeGoImports = nameof(ProcessPeGoImports); + /// + /// process.pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessPeGoImportsNamesEntropy = nameof(ProcessPeGoImportsNamesEntropy); + /// + /// process.pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessPeGoImportsNamesVarEntropy = nameof(ProcessPeGoImportsNamesVarEntropy); + /// + /// process.pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string ProcessPeGoStripped = nameof(ProcessPeGoStripped); + /// + /// process.pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf + /// + public static string ProcessPeImphash = nameof(ProcessPeImphash); + /// + /// process.pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string ProcessPeImportHash = nameof(ProcessPeImportHash); + /// + /// process.pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessPeImportsNamesEntropy = nameof(ProcessPeImportsNamesEntropy); + /// + /// process.pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessPeImportsNamesVarEntropy = nameof(ProcessPeImportsNamesVarEntropy); + /// + /// process.pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE + /// + public static string ProcessPeOriginalFileName = nameof(ProcessPeOriginalFileName); + /// + /// process.pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 + /// + public static string ProcessPePehash = nameof(ProcessPePehash); + /// + /// process.pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System + /// + public static string ProcessPeProduct = nameof(ProcessPeProduct); + /// + /// process.code_signature.digest_algorithm + /// The hashing algorithm used to sign the process. + /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + /// sha256 + /// + public static string ProcessCodeSignatureDigestAlgorithm = nameof(ProcessCodeSignatureDigestAlgorithm); + /// + /// process.code_signature.exists + /// Boolean to capture if a signature is present. + /// true + /// + public static string ProcessCodeSignatureExists = nameof(ProcessCodeSignatureExists); + /// + /// process.code_signature.signing_id + /// The identifier used to sign the process. + /// This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + /// com.apple.xpc.proxy + /// + public static string ProcessCodeSignatureSigningId = nameof(ProcessCodeSignatureSigningId); + /// + /// process.code_signature.status + /// Additional information about the certificate status. + /// This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + /// ERROR_UNTRUSTED_ROOT + /// + public static string ProcessCodeSignatureStatus = nameof(ProcessCodeSignatureStatus); + /// + /// process.code_signature.subject_name + /// Subject name of the code signer + /// Microsoft Corporation + /// + public static string ProcessCodeSignatureSubjectName = nameof(ProcessCodeSignatureSubjectName); + /// + /// process.code_signature.team_id + /// The team identifier used to sign the process. + /// This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + /// EQHXZ8M8AV + /// + public static string ProcessCodeSignatureTeamId = nameof(ProcessCodeSignatureTeamId); + /// + /// process.code_signature.timestamp + /// Date and time when the code signature was generated and signed. + /// 1/1/2021 12:10:30 PM + /// + public static string ProcessCodeSignatureTimestamp = nameof(ProcessCodeSignatureTimestamp); + /// + /// process.code_signature.trusted + /// Stores the trust status of the certificate chain. + /// Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + /// true + /// + public static string ProcessCodeSignatureTrusted = nameof(ProcessCodeSignatureTrusted); + /// + /// process.code_signature.valid + /// Boolean to capture if the digital signature is verified against the binary content. + /// Leave unpopulated if a certificate was unchecked. + /// true + /// + public static string ProcessCodeSignatureValid = nameof(ProcessCodeSignatureValid); + /// + /// process.elf.architecture + /// Machine architecture of the ELF file. + /// x86-64 + /// + public static string ProcessElfArchitecture = nameof(ProcessElfArchitecture); + /// + /// process.elf.byte_order + /// Byte sequence of ELF file. + /// Little Endian + /// + public static string ProcessElfByteOrder = nameof(ProcessElfByteOrder); + /// + /// process.elf.cpu_type + /// CPU type of the ELF file. + /// Intel + /// + public static string ProcessElfCpuType = nameof(ProcessElfCpuType); + /// + /// process.elf.creation_date + /// Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + /// + /// + public static string ProcessElfCreationDate = nameof(ProcessElfCreationDate); + /// + /// process.elf.go_import_hash + /// A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string ProcessElfGoImportHash = nameof(ProcessElfGoImportHash); + /// + /// process.elf.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string ProcessElfGoImports = nameof(ProcessElfGoImports); + /// + /// process.elf.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessElfGoImportsNamesEntropy = nameof(ProcessElfGoImportsNamesEntropy); + /// + /// process.elf.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessElfGoImportsNamesVarEntropy = nameof(ProcessElfGoImportsNamesVarEntropy); + /// + /// process.elf.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string ProcessElfGoStripped = nameof(ProcessElfGoStripped); + /// + /// process.elf.header.abi_version + /// Version of the ELF Application Binary Interface (ABI). + /// + /// + public static string ProcessElfHeaderAbiVersion = nameof(ProcessElfHeaderAbiVersion); + /// + /// process.elf.header.class + /// Header class of the ELF file. + /// + /// + public static string ProcessElfHeaderClass = nameof(ProcessElfHeaderClass); + /// + /// process.elf.header.data + /// Data table of the ELF header. + /// + /// + public static string ProcessElfHeaderData = nameof(ProcessElfHeaderData); + /// + /// process.elf.header.entrypoint + /// Header entrypoint of the ELF file. + /// + /// + public static string ProcessElfHeaderEntrypoint = nameof(ProcessElfHeaderEntrypoint); + /// + /// process.elf.header.object_version + /// "0x1" for original ELF files. + /// + /// + public static string ProcessElfHeaderObjectVersion = nameof(ProcessElfHeaderObjectVersion); + /// + /// process.elf.header.os_abi + /// Application Binary Interface (ABI) of the Linux OS. + /// + /// + public static string ProcessElfHeaderOsAbi = nameof(ProcessElfHeaderOsAbi); + /// + /// process.elf.header.type + /// Header type of the ELF file. + /// + /// + public static string ProcessElfHeaderType = nameof(ProcessElfHeaderType); + /// + /// process.elf.header.version + /// Version of the ELF header. + /// + /// + public static string ProcessElfHeaderVersion = nameof(ProcessElfHeaderVersion); + /// + /// process.elf.import_hash + /// A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is an ELF implementation of the Windows PE imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string ProcessElfImportHash = nameof(ProcessElfImportHash); + /// + /// process.elf.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessElfImportsNamesEntropy = nameof(ProcessElfImportsNamesEntropy); + /// + /// process.elf.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessElfImportsNamesVarEntropy = nameof(ProcessElfImportsNamesVarEntropy); + /// + /// process.elf.telfhash + /// telfhash symbol hash for ELF file. + /// + /// + public static string ProcessElfTelfhash = nameof(ProcessElfTelfhash); + /// + /// process.macho.go_import_hash + /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string ProcessMachoGoImportHash = nameof(ProcessMachoGoImportHash); + /// + /// process.macho.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string ProcessMachoGoImports = nameof(ProcessMachoGoImports); + /// + /// process.macho.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessMachoGoImportsNamesEntropy = nameof(ProcessMachoGoImportsNamesEntropy); + /// + /// process.macho.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessMachoGoImportsNamesVarEntropy = nameof(ProcessMachoGoImportsNamesVarEntropy); + /// + /// process.macho.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string ProcessMachoGoStripped = nameof(ProcessMachoGoStripped); + /// + /// process.macho.import_hash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for symhash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string ProcessMachoImportHash = nameof(ProcessMachoImportHash); + /// + /// process.macho.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessMachoImportsNamesEntropy = nameof(ProcessMachoImportsNamesEntropy); + /// + /// process.macho.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessMachoImportsNamesVarEntropy = nameof(ProcessMachoImportsNamesVarEntropy); + /// + /// process.macho.symhash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a Mach-O implementation of the Windows PE imphash + /// d3ccf195b62a9279c3c19af1080497ec + /// + public static string ProcessMachoSymhash = nameof(ProcessMachoSymhash); + /// + /// process.source.address + /// Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + /// + /// + public static string ProcessSourceAddress = nameof(ProcessSourceAddress); + /// + /// process.source.bytes + /// Bytes sent from the source to the destination. + /// 184 + /// + public static string ProcessSourceBytes = nameof(ProcessSourceBytes); + /// + /// process.source.domain + /// The domain name of the source system. + /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + /// foo.example.com + /// + public static string ProcessSourceDomain = nameof(ProcessSourceDomain); + /// + /// process.source.ip + /// IP address of the source (IPv4 or IPv6). + /// + /// + public static string ProcessSourceIp = nameof(ProcessSourceIp); + /// + /// process.source.mac + /// MAC address of the source. + /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + /// pattern: + /// 00-00-5E-00-53-23 + /// + public static string ProcessSourceMac = nameof(ProcessSourceMac); + /// + /// process.source.nat.ip + /// Translated ip of source based NAT sessions (e.g. internal client to internet) + /// Typically connections traversing load balancers, firewalls, or routers. + /// + /// + public static string ProcessSourceNatIp = nameof(ProcessSourceNatIp); + /// + /// process.source.nat.port + /// Translated port of source based NAT sessions. (e.g. internal client to internet) + /// Typically used with load balancers, firewalls, or routers. + /// + /// + public static string ProcessSourceNatPort = nameof(ProcessSourceNatPort); + /// + /// process.source.packets + /// Packets sent from the source to the destination. + /// 12 + /// + public static string ProcessSourcePackets = nameof(ProcessSourcePackets); + /// + /// process.source.port + /// Port of the source. + /// + /// + public static string ProcessSourcePort = nameof(ProcessSourcePort); + /// + /// process.source.registered_domain + /// The highest registered source domain, stripped of the subdomain. + /// For example, the registered domain for "foo.example.com" is "example.com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + /// example.com + /// + public static string ProcessSourceRegisteredDomain = nameof(ProcessSourceRegisteredDomain); + /// + /// process.source.subdomain + /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + /// east + /// + public static string ProcessSourceSubdomain = nameof(ProcessSourceSubdomain); + /// + /// process.source.top_level_domain + /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + /// co.uk + /// + public static string ProcessSourceTopLevelDomain = nameof(ProcessSourceTopLevelDomain); + /// + /// process.source.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 + /// + public static string ProcessSourceAsNumber = nameof(ProcessSourceAsNumber); + /// + /// process.source.as.organization.name + /// Organization name. + /// Google LLC + /// + public static string ProcessSourceAsOrganizationName = nameof(ProcessSourceAsOrganizationName); + /// + /// process.source.geo.city_name + /// City name. + /// Montreal + /// + public static string ProcessSourceGeoCityName = nameof(ProcessSourceGeoCityName); + /// + /// process.source.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string ProcessSourceGeoContinentCode = nameof(ProcessSourceGeoContinentCode); + /// + /// process.source.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string ProcessSourceGeoContinentName = nameof(ProcessSourceGeoContinentName); + /// + /// process.source.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string ProcessSourceGeoCountryIsoCode = nameof(ProcessSourceGeoCountryIsoCode); + /// + /// process.source.geo.country_name + /// Country name. + /// Canada + /// + public static string ProcessSourceGeoCountryName = nameof(ProcessSourceGeoCountryName); + /// + /// process.source.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string ProcessSourceGeoName = nameof(ProcessSourceGeoName); + /// + /// process.source.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string ProcessSourceGeoPostalCode = nameof(ProcessSourceGeoPostalCode); + /// + /// process.source.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string ProcessSourceGeoRegionIsoCode = nameof(ProcessSourceGeoRegionIsoCode); + /// + /// process.source.geo.region_name + /// Region name. + /// Quebec + /// + public static string ProcessSourceGeoRegionName = nameof(ProcessSourceGeoRegionName); + /// + /// process.source.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string ProcessSourceGeoTimezone = nameof(ProcessSourceGeoTimezone); + /// + /// process.source.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessSourceUserDomain = nameof(ProcessSourceUserDomain); + /// + /// process.source.user.email + /// User email address. + /// + /// + public static string ProcessSourceUserEmail = nameof(ProcessSourceUserEmail); + /// + /// process.source.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ProcessSourceUserFullName = nameof(ProcessSourceUserFullName); + /// + /// process.source.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ProcessSourceUserHash = nameof(ProcessSourceUserHash); + /// + /// process.source.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ProcessSourceUserId = nameof(ProcessSourceUserId); + /// + /// process.source.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ProcessSourceUserName = nameof(ProcessSourceUserName); + /// + /// process.source.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessSourceUserGroupDomain = nameof(ProcessSourceUserGroupDomain); + /// + /// process.source.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessSourceUserGroupId = nameof(ProcessSourceUserGroupId); + /// + /// process.source.user.group.name + /// Name of the group. + /// + /// + public static string ProcessSourceUserGroupName = nameof(ProcessSourceUserGroupName); + /// + /// process.source.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ProcessSourceUserRiskCalculatedLevel = nameof(ProcessSourceUserRiskCalculatedLevel); + /// + /// process.source.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ProcessSourceUserRiskCalculatedScore = nameof(ProcessSourceUserRiskCalculatedScore); + /// + /// process.source.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ProcessSourceUserRiskCalculatedScoreNorm = nameof(ProcessSourceUserRiskCalculatedScoreNorm); + /// + /// process.source.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ProcessSourceUserRiskStaticLevel = nameof(ProcessSourceUserRiskStaticLevel); + /// + /// process.source.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ProcessSourceUserRiskStaticScore = nameof(ProcessSourceUserRiskStaticScore); + /// + /// process.source.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ProcessSourceUserRiskStaticScoreNorm = nameof(ProcessSourceUserRiskStaticScoreNorm); + /// + /// process.source.user.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessSourceUserUserDomain = nameof(ProcessSourceUserUserDomain); + /// + /// process.source.user.user.email + /// User email address. + /// + /// + public static string ProcessSourceUserUserEmail = nameof(ProcessSourceUserUserEmail); + /// + /// process.source.user.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ProcessSourceUserUserFullName = nameof(ProcessSourceUserUserFullName); + /// + /// process.source.user.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ProcessSourceUserUserHash = nameof(ProcessSourceUserUserHash); + /// + /// process.source.user.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ProcessSourceUserUserId = nameof(ProcessSourceUserUserId); + /// + /// process.source.user.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ProcessSourceUserUserName = nameof(ProcessSourceUserUserName); + /// + /// process.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessUserDomain = nameof(ProcessUserDomain); + /// + /// process.user.email + /// User email address. + /// + /// + public static string ProcessUserEmail = nameof(ProcessUserEmail); + /// + /// process.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ProcessUserFullName = nameof(ProcessUserFullName); + /// + /// process.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ProcessUserHash = nameof(ProcessUserHash); + /// + /// process.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ProcessUserId = nameof(ProcessUserId); + /// + /// process.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ProcessUserName = nameof(ProcessUserName); + /// + /// process.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessUserGroupDomain = nameof(ProcessUserGroupDomain); + /// + /// process.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessUserGroupId = nameof(ProcessUserGroupId); + /// + /// process.user.group.name + /// Name of the group. + /// + /// + public static string ProcessUserGroupName = nameof(ProcessUserGroupName); + /// + /// process.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ProcessUserRiskCalculatedLevel = nameof(ProcessUserRiskCalculatedLevel); + /// + /// process.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ProcessUserRiskCalculatedScore = nameof(ProcessUserRiskCalculatedScore); + /// + /// process.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ProcessUserRiskCalculatedScoreNorm = nameof(ProcessUserRiskCalculatedScoreNorm); + /// + /// process.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ProcessUserRiskStaticLevel = nameof(ProcessUserRiskStaticLevel); + /// + /// process.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ProcessUserRiskStaticScore = nameof(ProcessUserRiskStaticScore); + /// + /// process.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ProcessUserRiskStaticScoreNorm = nameof(ProcessUserRiskStaticScoreNorm); + /// + /// process.user.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessUserUserDomain = nameof(ProcessUserUserDomain); + /// + /// process.user.user.email + /// User email address. + /// + /// + public static string ProcessUserUserEmail = nameof(ProcessUserUserEmail); + /// + /// process.user.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ProcessUserUserFullName = nameof(ProcessUserUserFullName); + /// + /// process.user.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ProcessUserUserHash = nameof(ProcessUserUserHash); + /// + /// process.user.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ProcessUserUserId = nameof(ProcessUserUserId); + /// + /// process.user.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ProcessUserUserName = nameof(ProcessUserUserName); + /// + /// process.process.args_count + /// Length of the process.args array. + /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + /// 4 + /// + public static string ProcessProcessArgsCount = nameof(ProcessProcessArgsCount); + /// + /// process.process.command_line + /// Full command line that started the process, including the absolute path to the executable, and all arguments. + /// Some arguments may be filtered to protect sensitive information. + /// /usr/bin/ssh -l user 10.0.0.16 + /// + public static string ProcessProcessCommandLine = nameof(ProcessProcessCommandLine); + /// + /// process.process.end + /// The time the process ended. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessEnd = nameof(ProcessProcessEnd); + /// + /// process.process.entity_id + /// Unique identifier for the process. + /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + /// c2c455d9f99375d + /// + public static string ProcessProcessEntityId = nameof(ProcessProcessEntityId); + /// + /// process.process.executable + /// Absolute path to the process executable. + /// /usr/bin/ssh + /// + public static string ProcessProcessExecutable = nameof(ProcessProcessExecutable); + /// + /// process.process.exit_code + /// The exit code of the process, if this is a termination event. + /// The field should be absent if there is no exit code for the event (e.g. process start). + /// 137 + /// + public static string ProcessProcessExitCode = nameof(ProcessProcessExitCode); + /// + /// process.process.interactive + /// Whether the process is connected to an interactive shell. + /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + /// true + /// + public static string ProcessProcessInteractive = nameof(ProcessProcessInteractive); + /// + /// process.process.name + /// Process name. + /// Sometimes called program name or similar. + /// ssh + /// + public static string ProcessProcessName = nameof(ProcessProcessName); + /// + /// process.process.pgid + /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + /// Identifier of the group of processes the process belongs to. + /// + /// + public static string ProcessProcessPgid = nameof(ProcessProcessPgid); + /// + /// process.process.pid + /// Process id. + /// 4242 + /// + public static string ProcessProcessPid = nameof(ProcessProcessPid); + /// + /// process.process.start + /// The time the process started. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessStart = nameof(ProcessProcessStart); + /// + /// process.process.thread.id + /// Thread ID. + /// 4242 + /// + public static string ProcessProcessThreadId = nameof(ProcessProcessThreadId); + /// + /// process.process.thread.name + /// Thread name. + /// thread-0 + /// + public static string ProcessProcessThreadName = nameof(ProcessProcessThreadName); + /// + /// process.process.title + /// Process title. + /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// + /// + public static string ProcessProcessTitle = nameof(ProcessProcessTitle); + /// + /// process.process.uptime + /// Seconds the process has been up. + /// 1325 + /// + public static string ProcessProcessUptime = nameof(ProcessProcessUptime); + /// + /// process.process.vpid + /// Virtual process id. + /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. + /// 4242 + /// + public static string ProcessProcessVpid = nameof(ProcessProcessVpid); + /// + /// process.process.working_directory + /// The working directory of the process. + /// /home/alice + /// + public static string ProcessProcessWorkingDirectory = nameof(ProcessProcessWorkingDirectory); + /// + /// process.process.parent.process.args_count + /// Length of the process.args array. + /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + /// 4 + /// + public static string ProcessProcessParentProcessArgsCount = nameof(ProcessProcessParentProcessArgsCount); + /// + /// process.process.parent.process.command_line + /// Full command line that started the process, including the absolute path to the executable, and all arguments. + /// Some arguments may be filtered to protect sensitive information. + /// /usr/bin/ssh -l user 10.0.0.16 + /// + public static string ProcessProcessParentProcessCommandLine = nameof(ProcessProcessParentProcessCommandLine); + /// + /// process.process.parent.process.end + /// The time the process ended. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessParentProcessEnd = nameof(ProcessProcessParentProcessEnd); + /// + /// process.process.parent.process.entity_id + /// Unique identifier for the process. + /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + /// c2c455d9f99375d + /// + public static string ProcessProcessParentProcessEntityId = nameof(ProcessProcessParentProcessEntityId); + /// + /// process.process.parent.process.executable + /// Absolute path to the process executable. + /// /usr/bin/ssh + /// + public static string ProcessProcessParentProcessExecutable = nameof(ProcessProcessParentProcessExecutable); + /// + /// process.process.parent.process.exit_code + /// The exit code of the process, if this is a termination event. + /// The field should be absent if there is no exit code for the event (e.g. process start). + /// 137 + /// + public static string ProcessProcessParentProcessExitCode = nameof(ProcessProcessParentProcessExitCode); + /// + /// process.process.parent.process.interactive + /// Whether the process is connected to an interactive shell. + /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + /// true + /// + public static string ProcessProcessParentProcessInteractive = nameof(ProcessProcessParentProcessInteractive); + /// + /// process.process.parent.process.name + /// Process name. + /// Sometimes called program name or similar. + /// ssh + /// + public static string ProcessProcessParentProcessName = nameof(ProcessProcessParentProcessName); + /// + /// process.process.parent.process.pgid + /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + /// Identifier of the group of processes the process belongs to. + /// + /// + public static string ProcessProcessParentProcessPgid = nameof(ProcessProcessParentProcessPgid); + /// + /// process.process.parent.process.pid + /// Process id. + /// 4242 + /// + public static string ProcessProcessParentProcessPid = nameof(ProcessProcessParentProcessPid); + /// + /// process.process.parent.process.start + /// The time the process started. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessParentProcessStart = nameof(ProcessProcessParentProcessStart); + /// + /// process.process.parent.process.thread.id + /// Thread ID. + /// 4242 + /// + public static string ProcessProcessParentProcessThreadId = nameof(ProcessProcessParentProcessThreadId); + /// + /// process.process.parent.process.thread.name + /// Thread name. + /// thread-0 + /// + public static string ProcessProcessParentProcessThreadName = nameof(ProcessProcessParentProcessThreadName); + /// + /// process.process.parent.process.title + /// Process title. + /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// + /// + public static string ProcessProcessParentProcessTitle = nameof(ProcessProcessParentProcessTitle); + /// + /// process.process.parent.process.uptime + /// Seconds the process has been up. + /// 1325 + /// + public static string ProcessProcessParentProcessUptime = nameof(ProcessProcessParentProcessUptime); + /// + /// process.process.parent.process.vpid + /// Virtual process id. + /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. + /// 4242 + /// + public static string ProcessProcessParentProcessVpid = nameof(ProcessProcessParentProcessVpid); + /// + /// process.process.parent.process.working_directory + /// The working directory of the process. + /// /home/alice + /// + public static string ProcessProcessParentProcessWorkingDirectory = nameof(ProcessProcessParentProcessWorkingDirectory); + /// + /// process.process.entry_leader.process.args_count + /// Length of the process.args array. + /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + /// 4 + /// + public static string ProcessProcessEntryLeaderProcessArgsCount = nameof(ProcessProcessEntryLeaderProcessArgsCount); + /// + /// process.process.entry_leader.process.command_line + /// Full command line that started the process, including the absolute path to the executable, and all arguments. + /// Some arguments may be filtered to protect sensitive information. + /// /usr/bin/ssh -l user 10.0.0.16 + /// + public static string ProcessProcessEntryLeaderProcessCommandLine = nameof(ProcessProcessEntryLeaderProcessCommandLine); + /// + /// process.process.entry_leader.process.end + /// The time the process ended. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessEntryLeaderProcessEnd = nameof(ProcessProcessEntryLeaderProcessEnd); + /// + /// process.process.entry_leader.process.entity_id + /// Unique identifier for the process. + /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + /// c2c455d9f99375d + /// + public static string ProcessProcessEntryLeaderProcessEntityId = nameof(ProcessProcessEntryLeaderProcessEntityId); + /// + /// process.process.entry_leader.process.executable + /// Absolute path to the process executable. + /// /usr/bin/ssh + /// + public static string ProcessProcessEntryLeaderProcessExecutable = nameof(ProcessProcessEntryLeaderProcessExecutable); + /// + /// process.process.entry_leader.process.exit_code + /// The exit code of the process, if this is a termination event. + /// The field should be absent if there is no exit code for the event (e.g. process start). + /// 137 + /// + public static string ProcessProcessEntryLeaderProcessExitCode = nameof(ProcessProcessEntryLeaderProcessExitCode); + /// + /// process.process.entry_leader.process.interactive + /// Whether the process is connected to an interactive shell. + /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + /// true + /// + public static string ProcessProcessEntryLeaderProcessInteractive = nameof(ProcessProcessEntryLeaderProcessInteractive); + /// + /// process.process.entry_leader.process.name + /// Process name. + /// Sometimes called program name or similar. + /// ssh + /// + public static string ProcessProcessEntryLeaderProcessName = nameof(ProcessProcessEntryLeaderProcessName); + /// + /// process.process.entry_leader.process.pgid + /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + /// Identifier of the group of processes the process belongs to. + /// + /// + public static string ProcessProcessEntryLeaderProcessPgid = nameof(ProcessProcessEntryLeaderProcessPgid); + /// + /// process.process.entry_leader.process.pid + /// Process id. + /// 4242 + /// + public static string ProcessProcessEntryLeaderProcessPid = nameof(ProcessProcessEntryLeaderProcessPid); + /// + /// process.process.entry_leader.process.start + /// The time the process started. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessEntryLeaderProcessStart = nameof(ProcessProcessEntryLeaderProcessStart); + /// + /// process.process.entry_leader.process.thread.id + /// Thread ID. + /// 4242 + /// + public static string ProcessProcessEntryLeaderProcessThreadId = nameof(ProcessProcessEntryLeaderProcessThreadId); + /// + /// process.process.entry_leader.process.thread.name + /// Thread name. + /// thread-0 + /// + public static string ProcessProcessEntryLeaderProcessThreadName = nameof(ProcessProcessEntryLeaderProcessThreadName); + /// + /// process.process.entry_leader.process.title + /// Process title. + /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// + /// + public static string ProcessProcessEntryLeaderProcessTitle = nameof(ProcessProcessEntryLeaderProcessTitle); + /// + /// process.process.entry_leader.process.uptime + /// Seconds the process has been up. + /// 1325 + /// + public static string ProcessProcessEntryLeaderProcessUptime = nameof(ProcessProcessEntryLeaderProcessUptime); + /// + /// process.process.entry_leader.process.vpid + /// Virtual process id. + /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. + /// 4242 + /// + public static string ProcessProcessEntryLeaderProcessVpid = nameof(ProcessProcessEntryLeaderProcessVpid); + /// + /// process.process.entry_leader.process.working_directory + /// The working directory of the process. + /// /home/alice + /// + public static string ProcessProcessEntryLeaderProcessWorkingDirectory = nameof(ProcessProcessEntryLeaderProcessWorkingDirectory); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.args_count + /// Length of the process.args array. + /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + /// 4 + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.command_line + /// Full command line that started the process, including the absolute path to the executable, and all arguments. + /// Some arguments may be filtered to protect sensitive information. + /// /usr/bin/ssh -l user 10.0.0.16 + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.end + /// The time the process ended. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.entity_id + /// Unique identifier for the process. + /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + /// c2c455d9f99375d + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.executable + /// Absolute path to the process executable. + /// /usr/bin/ssh + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.exit_code + /// The exit code of the process, if this is a termination event. + /// The field should be absent if there is no exit code for the event (e.g. process start). + /// 137 + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.interactive + /// Whether the process is connected to an interactive shell. + /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + /// true + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.name + /// Process name. + /// Sometimes called program name or similar. + /// ssh + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.pgid + /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + /// Identifier of the group of processes the process belongs to. + /// + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.pid + /// Process id. + /// 4242 + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.start + /// The time the process started. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.thread.id + /// Thread ID. + /// 4242 + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.thread.name + /// Thread name. + /// thread-0 + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.title + /// Process title. + /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.uptime + /// Seconds the process has been up. + /// 1325 + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.vpid + /// Virtual process id. + /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. + /// 4242 + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid); + /// + /// process.process.entry_leader.process.entry_leader.parent.process.working_directory + /// The working directory of the process. + /// /home/alice + /// + public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory); + /// + /// process.process.session_leader.process.args_count + /// Length of the process.args array. + /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + /// 4 + /// + public static string ProcessProcessSessionLeaderProcessArgsCount = nameof(ProcessProcessSessionLeaderProcessArgsCount); + /// + /// process.process.session_leader.process.command_line + /// Full command line that started the process, including the absolute path to the executable, and all arguments. + /// Some arguments may be filtered to protect sensitive information. + /// /usr/bin/ssh -l user 10.0.0.16 + /// + public static string ProcessProcessSessionLeaderProcessCommandLine = nameof(ProcessProcessSessionLeaderProcessCommandLine); + /// + /// process.process.session_leader.process.end + /// The time the process ended. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessSessionLeaderProcessEnd = nameof(ProcessProcessSessionLeaderProcessEnd); + /// + /// process.process.session_leader.process.entity_id + /// Unique identifier for the process. + /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + /// c2c455d9f99375d + /// + public static string ProcessProcessSessionLeaderProcessEntityId = nameof(ProcessProcessSessionLeaderProcessEntityId); + /// + /// process.process.session_leader.process.executable + /// Absolute path to the process executable. + /// /usr/bin/ssh + /// + public static string ProcessProcessSessionLeaderProcessExecutable = nameof(ProcessProcessSessionLeaderProcessExecutable); + /// + /// process.process.session_leader.process.exit_code + /// The exit code of the process, if this is a termination event. + /// The field should be absent if there is no exit code for the event (e.g. process start). + /// 137 + /// + public static string ProcessProcessSessionLeaderProcessExitCode = nameof(ProcessProcessSessionLeaderProcessExitCode); + /// + /// process.process.session_leader.process.interactive + /// Whether the process is connected to an interactive shell. + /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + /// true + /// + public static string ProcessProcessSessionLeaderProcessInteractive = nameof(ProcessProcessSessionLeaderProcessInteractive); + /// + /// process.process.session_leader.process.name + /// Process name. + /// Sometimes called program name or similar. + /// ssh + /// + public static string ProcessProcessSessionLeaderProcessName = nameof(ProcessProcessSessionLeaderProcessName); + /// + /// process.process.session_leader.process.pgid + /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + /// Identifier of the group of processes the process belongs to. + /// + /// + public static string ProcessProcessSessionLeaderProcessPgid = nameof(ProcessProcessSessionLeaderProcessPgid); + /// + /// process.process.session_leader.process.pid + /// Process id. + /// 4242 + /// + public static string ProcessProcessSessionLeaderProcessPid = nameof(ProcessProcessSessionLeaderProcessPid); + /// + /// process.process.session_leader.process.start + /// The time the process started. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessSessionLeaderProcessStart = nameof(ProcessProcessSessionLeaderProcessStart); + /// + /// process.process.session_leader.process.thread.id + /// Thread ID. + /// 4242 + /// + public static string ProcessProcessSessionLeaderProcessThreadId = nameof(ProcessProcessSessionLeaderProcessThreadId); + /// + /// process.process.session_leader.process.thread.name + /// Thread name. + /// thread-0 + /// + public static string ProcessProcessSessionLeaderProcessThreadName = nameof(ProcessProcessSessionLeaderProcessThreadName); + /// + /// process.process.session_leader.process.title + /// Process title. + /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// + /// + public static string ProcessProcessSessionLeaderProcessTitle = nameof(ProcessProcessSessionLeaderProcessTitle); + /// + /// process.process.session_leader.process.uptime + /// Seconds the process has been up. + /// 1325 + /// + public static string ProcessProcessSessionLeaderProcessUptime = nameof(ProcessProcessSessionLeaderProcessUptime); + /// + /// process.process.session_leader.process.vpid + /// Virtual process id. + /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. + /// 4242 + /// + public static string ProcessProcessSessionLeaderProcessVpid = nameof(ProcessProcessSessionLeaderProcessVpid); + /// + /// process.process.session_leader.process.working_directory + /// The working directory of the process. + /// /home/alice + /// + public static string ProcessProcessSessionLeaderProcessWorkingDirectory = nameof(ProcessProcessSessionLeaderProcessWorkingDirectory); + /// + /// process.process.session_leader.process.session_leader.parent.process.args_count + /// Length of the process.args array. + /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + /// 4 + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount); + /// + /// process.process.session_leader.process.session_leader.parent.process.command_line + /// Full command line that started the process, including the absolute path to the executable, and all arguments. + /// Some arguments may be filtered to protect sensitive information. + /// /usr/bin/ssh -l user 10.0.0.16 + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine); + /// + /// process.process.session_leader.process.session_leader.parent.process.end + /// The time the process ended. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd); + /// + /// process.process.session_leader.process.session_leader.parent.process.entity_id + /// Unique identifier for the process. + /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + /// c2c455d9f99375d + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId); + /// + /// process.process.session_leader.process.session_leader.parent.process.executable + /// Absolute path to the process executable. + /// /usr/bin/ssh + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable); + /// + /// process.process.session_leader.process.session_leader.parent.process.exit_code + /// The exit code of the process, if this is a termination event. + /// The field should be absent if there is no exit code for the event (e.g. process start). + /// 137 + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode); + /// + /// process.process.session_leader.process.session_leader.parent.process.interactive + /// Whether the process is connected to an interactive shell. + /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + /// true + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive); + /// + /// process.process.session_leader.process.session_leader.parent.process.name + /// Process name. + /// Sometimes called program name or similar. + /// ssh + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName); + /// + /// process.process.session_leader.process.session_leader.parent.process.pgid + /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + /// Identifier of the group of processes the process belongs to. + /// + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid); + /// + /// process.process.session_leader.process.session_leader.parent.process.pid + /// Process id. + /// 4242 + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid); + /// + /// process.process.session_leader.process.session_leader.parent.process.start + /// The time the process started. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart); + /// + /// process.process.session_leader.process.session_leader.parent.process.thread.id + /// Thread ID. + /// 4242 + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId); + /// + /// process.process.session_leader.process.session_leader.parent.process.thread.name + /// Thread name. + /// thread-0 + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName); + /// + /// process.process.session_leader.process.session_leader.parent.process.title + /// Process title. + /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle); + /// + /// process.process.session_leader.process.session_leader.parent.process.uptime + /// Seconds the process has been up. + /// 1325 + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime); + /// + /// process.process.session_leader.process.session_leader.parent.process.vpid + /// Virtual process id. + /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. + /// 4242 + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid); + /// + /// process.process.session_leader.process.session_leader.parent.process.working_directory + /// The working directory of the process. + /// /home/alice + /// + public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory); + /// + /// registry.data.bytes + /// Original bytes written with base64 encoding. + /// For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + /// ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + /// + public static string RegistryDataBytes = nameof(RegistryDataBytes); + /// + /// registry.data.type + /// Standard registry type for encoding contents + /// REG_SZ + /// + public static string RegistryDataType = nameof(RegistryDataType); + /// + /// registry.hive + /// Abbreviated name for the hive. + /// HKLM + /// + public static string RegistryHive = nameof(RegistryHive); + /// + /// registry.key + /// Hive-relative path of keys. + /// SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + /// + public static string RegistryKey = nameof(RegistryKey); + /// + /// registry.path + /// Full path, including hive, key and value + /// HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + /// + public static string RegistryPath = nameof(RegistryPath); + /// + /// registry.value + /// Name of the value written. + /// Debugger + /// + public static string RegistryValue = nameof(RegistryValue); + /// + /// risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string RiskCalculatedLevel = nameof(RiskCalculatedLevel); + /// + /// risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string RiskCalculatedScore = nameof(RiskCalculatedScore); + /// + /// risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string RiskCalculatedScoreNorm = nameof(RiskCalculatedScoreNorm); + /// + /// risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string RiskStaticLevel = nameof(RiskStaticLevel); + /// + /// risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string RiskStaticScore = nameof(RiskStaticScore); + /// + /// risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string RiskStaticScoreNorm = nameof(RiskStaticScoreNorm); + /// + /// rule.category + /// A categorization value keyword used by the entity using the rule for detection of this event. + /// Attempted Information Leak + /// + public static string RuleCategory = nameof(RuleCategory); + /// + /// rule.description + /// The description of the rule generating the event. + /// Block requests to public DNS over HTTPS / TLS protocols + /// + public static string RuleDescription = nameof(RuleDescription); + /// + /// rule.id + /// A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + /// 101 + /// + public static string RuleId = nameof(RuleId); + /// + /// rule.license + /// Name of the license under which the rule used to generate this event is made available. + /// Apache 2.0 + /// + public static string RuleLicense = nameof(RuleLicense); + /// + /// rule.name + /// The name of the rule or signature generating the event. + /// BLOCK_DNS_over_TLS + /// + public static string RuleName = nameof(RuleName); + /// + /// rule.reference + /// Reference URL to additional information about the rule used to generate this event. + /// The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + /// https://en.wikipedia.org/wiki/DNS_over_TLS + /// + public static string RuleReference = nameof(RuleReference); + /// + /// rule.ruleset + /// Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + /// Standard_Protocol_Filters + /// + public static string RuleRuleset = nameof(RuleRuleset); + /// + /// rule.uuid + /// A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + /// 1100110011 + /// + public static string RuleUuid = nameof(RuleUuid); + /// + /// rule.version + /// The version / revision of the rule being used for analysis. + /// 1.1 + /// + public static string RuleVersion = nameof(RuleVersion); + /// + /// server.address + /// Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + /// + /// + public static string ServerAddress = nameof(ServerAddress); + /// + /// server.bytes + /// Bytes sent from the server to the client. + /// 184 + /// + public static string ServerBytes = nameof(ServerBytes); + /// + /// server.domain + /// The domain name of the server system. + /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + /// foo.example.com + /// + public static string ServerDomain = nameof(ServerDomain); + /// + /// server.ip + /// IP address of the server (IPv4 or IPv6). + /// + /// + public static string ServerIp = nameof(ServerIp); + /// + /// server.mac + /// MAC address of the server. + /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + /// pattern: + /// 00-00-5E-00-53-23 + /// + public static string ServerMac = nameof(ServerMac); + /// + /// server.nat.ip + /// Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + /// Typically used with load balancers, firewalls, or routers. + /// + /// + public static string ServerNatIp = nameof(ServerNatIp); + /// + /// server.nat.port + /// Translated port of destination based NAT sessions (e.g. internet to private DMZ) + /// Typically used with load balancers, firewalls, or routers. + /// + /// + public static string ServerNatPort = nameof(ServerNatPort); + /// + /// server.packets + /// Packets sent from the server to the client. + /// 12 + /// + public static string ServerPackets = nameof(ServerPackets); + /// + /// server.port + /// Port of the server. + /// + /// + public static string ServerPort = nameof(ServerPort); + /// + /// server.registered_domain + /// The highest registered server domain, stripped of the subdomain. + /// For example, the registered domain for "foo.example.com" is "example.com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + /// example.com + /// + public static string ServerRegisteredDomain = nameof(ServerRegisteredDomain); + /// + /// server.subdomain + /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + /// east + /// + public static string ServerSubdomain = nameof(ServerSubdomain); + /// + /// server.top_level_domain + /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + /// co.uk + /// + public static string ServerTopLevelDomain = nameof(ServerTopLevelDomain); + /// + /// server.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 + /// + public static string ServerAsNumber = nameof(ServerAsNumber); + /// + /// server.as.organization.name + /// Organization name. + /// Google LLC + /// + public static string ServerAsOrganizationName = nameof(ServerAsOrganizationName); + /// + /// server.geo.city_name + /// City name. + /// Montreal + /// + public static string ServerGeoCityName = nameof(ServerGeoCityName); + /// + /// server.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string ServerGeoContinentCode = nameof(ServerGeoContinentCode); + /// + /// server.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string ServerGeoContinentName = nameof(ServerGeoContinentName); + /// + /// server.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string ServerGeoCountryIsoCode = nameof(ServerGeoCountryIsoCode); + /// + /// server.geo.country_name + /// Country name. + /// Canada + /// + public static string ServerGeoCountryName = nameof(ServerGeoCountryName); + /// + /// server.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string ServerGeoName = nameof(ServerGeoName); + /// + /// server.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string ServerGeoPostalCode = nameof(ServerGeoPostalCode); + /// + /// server.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string ServerGeoRegionIsoCode = nameof(ServerGeoRegionIsoCode); + /// + /// server.geo.region_name + /// Region name. + /// Quebec + /// + public static string ServerGeoRegionName = nameof(ServerGeoRegionName); + /// + /// server.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string ServerGeoTimezone = nameof(ServerGeoTimezone); + /// + /// server.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ServerUserDomain = nameof(ServerUserDomain); + /// + /// server.user.email + /// User email address. + /// + /// + public static string ServerUserEmail = nameof(ServerUserEmail); + /// + /// server.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ServerUserFullName = nameof(ServerUserFullName); + /// + /// server.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ServerUserHash = nameof(ServerUserHash); + /// + /// server.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ServerUserId = nameof(ServerUserId); + /// + /// server.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ServerUserName = nameof(ServerUserName); + /// + /// server.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ServerUserGroupDomain = nameof(ServerUserGroupDomain); + /// + /// server.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ServerUserGroupId = nameof(ServerUserGroupId); + /// + /// server.user.group.name + /// Name of the group. + /// + /// + public static string ServerUserGroupName = nameof(ServerUserGroupName); + /// + /// server.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ServerUserRiskCalculatedLevel = nameof(ServerUserRiskCalculatedLevel); + /// + /// server.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ServerUserRiskCalculatedScore = nameof(ServerUserRiskCalculatedScore); + /// + /// server.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ServerUserRiskCalculatedScoreNorm = nameof(ServerUserRiskCalculatedScoreNorm); + /// + /// server.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ServerUserRiskStaticLevel = nameof(ServerUserRiskStaticLevel); + /// + /// server.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ServerUserRiskStaticScore = nameof(ServerUserRiskStaticScore); + /// + /// server.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ServerUserRiskStaticScoreNorm = nameof(ServerUserRiskStaticScoreNorm); + /// + /// server.user.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ServerUserUserDomain = nameof(ServerUserUserDomain); + /// + /// server.user.user.email + /// User email address. + /// + /// + public static string ServerUserUserEmail = nameof(ServerUserUserEmail); + /// + /// server.user.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ServerUserUserFullName = nameof(ServerUserUserFullName); + /// + /// server.user.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ServerUserUserHash = nameof(ServerUserUserHash); + /// + /// server.user.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ServerUserUserId = nameof(ServerUserUserId); + /// + /// server.user.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ServerUserUserName = nameof(ServerUserUserName); + /// + /// service.address + /// Address where data about this service was collected from. + /// This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + /// 172.26.0.2:5432 + /// + public static string ServiceAddress = nameof(ServiceAddress); + /// + /// service.environment + /// Identifies the environment where the service is running. + /// If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + ///
This field is beta and subject to change. + /// production + /// + public static string ServiceEnvironment = nameof(ServiceEnvironment); + /// + /// service.ephemeral_id + /// Ephemeral identifier of this service (if one exists). + /// This id normally changes across restarts, but `service.id` does not. + /// 8a4f500f + /// + public static string ServiceEphemeralId = nameof(ServiceEphemeralId); + /// + /// service.id + /// Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + /// This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + /// Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + /// d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + /// + public static string ServiceId = nameof(ServiceId); + /// + /// service.name + /// Name of the service data is collected from. + /// The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + /// In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + /// elasticsearch-metrics + /// + public static string ServiceName = nameof(ServiceName); + /// + /// service.node.name + /// Name of a service node. + /// This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + /// In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + /// instance-0000000016 + /// + public static string ServiceNodeName = nameof(ServiceNodeName); + /// + /// service.node.role + /// Deprecated for removal in next major version release. This field will be superseded by `node.roles`. + /// Role of a service node. + /// This allows for distinction between different running roles of the same service. + /// In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`. + /// In the case of Elasticsearch, the `service.node.role` could be `master` or `data`. + /// Other services could use this to distinguish between a `web` and `worker` role running as part of the service. + /// background_tasks + /// + public static string ServiceNodeRole = nameof(ServiceNodeRole); + /// + /// service.state + /// Current state of the service. + /// + /// + public static string ServiceState = nameof(ServiceState); + /// + /// service.type + /// The type of the service data is collected from. + /// The type can be used to group and correlate logs and metrics from one service type. + /// Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + /// elasticsearch + /// + public static string ServiceType = nameof(ServiceType); + /// + /// service.version + /// Version of the service the data was collected from. + /// This allows to look at a data set only for a specific version of a service. + /// 3.2.4 + /// + public static string ServiceVersion = nameof(ServiceVersion); + /// + /// service.service.address + /// Address where data about this service was collected from. + /// This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + /// 172.26.0.2:5432 + /// + public static string ServiceServiceAddress = nameof(ServiceServiceAddress); + /// + /// service.service.environment + /// Identifies the environment where the service is running. + /// If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. ///
This field is beta and subject to change. - /// 256383 + /// production /// - public static string HostPidNsIno = nameof(HostPidNsIno); + public static string ServiceServiceEnvironment = nameof(ServiceServiceEnvironment); /// - /// host.type - /// Type of host. - /// For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + /// service.service.ephemeral_id + /// Ephemeral identifier of this service (if one exists). + /// This id normally changes across restarts, but `service.id` does not. + /// 8a4f500f + /// + public static string ServiceServiceEphemeralId = nameof(ServiceServiceEphemeralId); + /// + /// service.service.id + /// Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + /// This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + /// Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + /// d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + /// + public static string ServiceServiceId = nameof(ServiceServiceId); + /// + /// service.service.name + /// Name of the service data is collected from. + /// The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + /// In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + /// elasticsearch-metrics + /// + public static string ServiceServiceName = nameof(ServiceServiceName); + /// + /// service.service.node.name + /// Name of a service node. + /// This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + /// In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + /// instance-0000000016 + /// + public static string ServiceServiceNodeName = nameof(ServiceServiceNodeName); + /// + /// service.service.node.role + /// Deprecated for removal in next major version release. This field will be superseded by `node.roles`. + /// Role of a service node. + /// This allows for distinction between different running roles of the same service. + /// In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`. + /// In the case of Elasticsearch, the `service.node.role` could be `master` or `data`. + /// Other services could use this to distinguish between a `web` and `worker` role running as part of the service. + /// background_tasks + /// + public static string ServiceServiceNodeRole = nameof(ServiceServiceNodeRole); + /// + /// service.service.state + /// Current state of the service. /// /// - public static string HostType = nameof(HostType); + public static string ServiceServiceState = nameof(ServiceServiceState); /// - /// host.uptime - /// Seconds the host has been up. - /// 1325 + /// service.service.type + /// The type of the service data is collected from. + /// The type can be used to group and correlate logs and metrics from one service type. + /// Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + /// elasticsearch /// - public static string HostUptime = nameof(HostUptime); + public static string ServiceServiceType = nameof(ServiceServiceType); /// - /// http.request.body.bytes - /// Size in bytes of the request body. - /// 887 + /// service.service.version + /// Version of the service the data was collected from. + /// This allows to look at a data set only for a specific version of a service. + /// 3.2.4 /// - public static string HttpRequestBodyBytes = nameof(HttpRequestBodyBytes); + public static string ServiceServiceVersion = nameof(ServiceServiceVersion); /// - /// http.request.body.content - /// The full HTTP request body. - /// Hello world + /// source.address + /// Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + /// /// - public static string HttpRequestBodyContent = nameof(HttpRequestBodyContent); + public static string SourceAddress = nameof(SourceAddress); /// - /// http.request.bytes - /// Total size in bytes of the request (body and headers). - /// 1437 + /// source.bytes + /// Bytes sent from the source to the destination. + /// 184 /// - public static string HttpRequestBytes = nameof(HttpRequestBytes); + public static string SourceBytes = nameof(SourceBytes); /// - /// http.request.id - /// A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. - /// The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. - /// 123e4567-e89b-12d3-a456-426614174000 + /// source.domain + /// The domain name of the source system. + /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + /// foo.example.com /// - public static string HttpRequestId = nameof(HttpRequestId); + public static string SourceDomain = nameof(SourceDomain); /// - /// http.request.method - /// HTTP request method. - /// The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - /// POST + /// source.ip + /// IP address of the source (IPv4 or IPv6). + /// /// - public static string HttpRequestMethod = nameof(HttpRequestMethod); + public static string SourceIp = nameof(SourceIp); /// - /// http.request.mime_type - /// Mime type of the body of the request. - /// This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. - /// image/gif + /// source.mac + /// MAC address of the source. + /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + /// pattern: + /// 00-00-5E-00-53-23 /// - public static string HttpRequestMimeType = nameof(HttpRequestMimeType); + public static string SourceMac = nameof(SourceMac); /// - /// http.request.referrer - /// Referrer for this HTTP request. - /// https://blog.example.com/ + /// source.nat.ip + /// Translated ip of source based NAT sessions (e.g. internal client to internet) + /// Typically connections traversing load balancers, firewalls, or routers. + /// /// - public static string HttpRequestReferrer = nameof(HttpRequestReferrer); + public static string SourceNatIp = nameof(SourceNatIp); /// - /// http.response.body.bytes - /// Size in bytes of the response body. - /// 887 + /// source.nat.port + /// Translated port of source based NAT sessions. (e.g. internal client to internet) + /// Typically used with load balancers, firewalls, or routers. + /// /// - public static string HttpResponseBodyBytes = nameof(HttpResponseBodyBytes); + public static string SourceNatPort = nameof(SourceNatPort); /// - /// http.response.body.content - /// The full HTTP response body. - /// Hello world + /// source.packets + /// Packets sent from the source to the destination. + /// 12 /// - public static string HttpResponseBodyContent = nameof(HttpResponseBodyContent); + public static string SourcePackets = nameof(SourcePackets); /// - /// http.response.bytes - /// Total size in bytes of the response (body and headers). - /// 1437 + /// source.port + /// Port of the source. + /// /// - public static string HttpResponseBytes = nameof(HttpResponseBytes); + public static string SourcePort = nameof(SourcePort); /// - /// http.response.mime_type - /// Mime type of the body of the response. - /// This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - /// image/gif + /// source.registered_domain + /// The highest registered source domain, stripped of the subdomain. + /// For example, the registered domain for "foo.example.com" is "example.com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + /// example.com /// - public static string HttpResponseMimeType = nameof(HttpResponseMimeType); + public static string SourceRegisteredDomain = nameof(SourceRegisteredDomain); /// - /// http.response.status_code - /// HTTP response status code. - /// 404 + /// source.subdomain + /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + /// east /// - public static string HttpResponseStatusCode = nameof(HttpResponseStatusCode); + public static string SourceSubdomain = nameof(SourceSubdomain); /// - /// http.version - /// HTTP version. - /// 1.1 + /// source.top_level_domain + /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + /// co.uk /// - public static string HttpVersion = nameof(HttpVersion); + public static string SourceTopLevelDomain = nameof(SourceTopLevelDomain); /// - /// interface.alias - /// Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - /// outside + /// source.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 /// - public static string InterfaceAlias = nameof(InterfaceAlias); + public static string SourceAsNumber = nameof(SourceAsNumber); /// - /// interface.id - /// Interface ID as reported by an observer (typically SNMP interface ID). - /// 10 + /// source.as.organization.name + /// Organization name. + /// Google LLC /// - public static string InterfaceId = nameof(InterfaceId); + public static string SourceAsOrganizationName = nameof(SourceAsOrganizationName); /// - /// interface.name - /// Interface name as reported by the system. - /// eth0 + /// source.geo.city_name + /// City name. + /// Montreal + /// + public static string SourceGeoCityName = nameof(SourceGeoCityName); + /// + /// source.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string SourceGeoContinentCode = nameof(SourceGeoContinentCode); + /// + /// source.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string SourceGeoContinentName = nameof(SourceGeoContinentName); + /// + /// source.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string SourceGeoCountryIsoCode = nameof(SourceGeoCountryIsoCode); + /// + /// source.geo.country_name + /// Country name. + /// Canada + /// + public static string SourceGeoCountryName = nameof(SourceGeoCountryName); + /// + /// source.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string SourceGeoName = nameof(SourceGeoName); + /// + /// source.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string SourceGeoPostalCode = nameof(SourceGeoPostalCode); + /// + /// source.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string SourceGeoRegionIsoCode = nameof(SourceGeoRegionIsoCode); + /// + /// source.geo.region_name + /// Region name. + /// Quebec /// - public static string InterfaceName = nameof(InterfaceName); + public static string SourceGeoRegionName = nameof(SourceGeoRegionName); /// - /// log.file.path - /// Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - /// If the event wasn't read from a log file, do not populate this field. - /// /var/log/fun-times.log + /// source.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires /// - public static string LogFilePath = nameof(LogFilePath); + public static string SourceGeoTimezone = nameof(SourceGeoTimezone); /// - /// log.level - /// Original log level of the log event. - /// If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - /// Some examples are `warn`, `err`, `i`, `informational`. - /// error + /// source.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// /// - public static string LogLevel = nameof(LogLevel); + public static string SourceUserDomain = nameof(SourceUserDomain); /// - /// log.logger - /// The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - /// org.elasticsearch.bootstrap.Bootstrap + /// source.user.email + /// User email address. + /// /// - public static string LogLogger = nameof(LogLogger); + public static string SourceUserEmail = nameof(SourceUserEmail); /// - /// log.origin.file.line - /// The line number of the file containing the source code which originated the log event. - /// 42 + /// source.user.full_name + /// User's full name, if available. + /// Albert Einstein /// - public static string LogOriginFileLine = nameof(LogOriginFileLine); + public static string SourceUserFullName = nameof(SourceUserFullName); /// - /// log.origin.file.name - /// The name of the file containing the source code which originated the log event. - /// Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. - /// Bootstrap.java + /// source.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// /// - public static string LogOriginFileName = nameof(LogOriginFileName); + public static string SourceUserHash = nameof(SourceUserHash); /// - /// log.origin.function - /// The name of the function or method which originated the log event. - /// init + /// source.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string LogOriginFunction = nameof(LogOriginFunction); + public static string SourceUserId = nameof(SourceUserId); /// - /// macho.go_import_hash - /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). - /// 10bddcb4cee42080f76c88d9ff964491 + /// source.user.name + /// Short name or login of the user. + /// a.einstein /// - public static string MachoGoImportHash = nameof(MachoGoImportHash); + public static string SourceUserName = nameof(SourceUserName); /// - /// macho.go_imports - /// List of imported Go language element names and types. + /// source.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. /// /// - public static string MachoGoImports = nameof(MachoGoImports); + public static string SourceUserGroupDomain = nameof(SourceUserGroupDomain); /// - /// macho.go_imports_names_entropy - /// Shannon entropy calculation from the list of Go imports. + /// source.user.group.id + /// Unique identifier for the group on the system/platform. /// /// - public static string MachoGoImportsNamesEntropy = nameof(MachoGoImportsNamesEntropy); + public static string SourceUserGroupId = nameof(SourceUserGroupId); /// - /// macho.go_imports_names_var_entropy - /// Variance for Shannon entropy calculation from the list of Go imports. + /// source.user.group.name + /// Name of the group. /// /// - public static string MachoGoImportsNamesVarEntropy = nameof(MachoGoImportsNamesVarEntropy); + public static string SourceUserGroupName = nameof(SourceUserGroupName); /// - /// macho.go_stripped - /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - /// + /// source.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High /// - public static string MachoGoStripped = nameof(MachoGoStripped); + public static string SourceUserRiskCalculatedLevel = nameof(SourceUserRiskCalculatedLevel); /// - /// macho.import_hash - /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// This is a synonym for symhash. - /// d41d8cd98f00b204e9800998ecf8427e + /// source.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 /// - public static string MachoImportHash = nameof(MachoImportHash); + public static string SourceUserRiskCalculatedScore = nameof(SourceUserRiskCalculatedScore); /// - /// macho.imports_names_entropy - /// Shannon entropy calculation from the list of imported element names and types. - /// + /// source.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 /// - public static string MachoImportsNamesEntropy = nameof(MachoImportsNamesEntropy); + public static string SourceUserRiskCalculatedScoreNorm = nameof(SourceUserRiskCalculatedScoreNorm); /// - /// macho.imports_names_var_entropy - /// Variance for Shannon entropy calculation from the list of imported element names and types. - /// + /// source.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High /// - public static string MachoImportsNamesVarEntropy = nameof(MachoImportsNamesVarEntropy); + public static string SourceUserRiskStaticLevel = nameof(SourceUserRiskStaticLevel); /// - /// macho.symhash - /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// This is a Mach-O implementation of the Windows PE imphash - /// d3ccf195b62a9279c3c19af1080497ec + /// source.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 /// - public static string MachoSymhash = nameof(MachoSymhash); + public static string SourceUserRiskStaticScore = nameof(SourceUserRiskStaticScore); /// - /// network.application - /// When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - /// For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - /// The field value must be normalized to lowercase for querying. - /// aim + /// source.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 /// - public static string NetworkApplication = nameof(NetworkApplication); + public static string SourceUserRiskStaticScoreNorm = nameof(SourceUserRiskStaticScoreNorm); /// - /// network.bytes - /// Total bytes transferred in both directions. - /// If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - /// 368 + /// source.user.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// /// - public static string NetworkBytes = nameof(NetworkBytes); + public static string SourceUserUserDomain = nameof(SourceUserUserDomain); /// - /// network.community_id - /// A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - /// Learn more at https://github.com/corelight/community-id-spec. - /// 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + /// source.user.user.email + /// User email address. + /// /// - public static string NetworkCommunityId = nameof(NetworkCommunityId); + public static string SourceUserUserEmail = nameof(SourceUserUserEmail); /// - /// network.direction - /// Direction of the network traffic. - /// When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - /// When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - /// Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - ///
Expected Values: - /// - /// ingress - /// egress - /// inbound - /// outbound - /// internal - /// external - /// unknown - /// - /// inbound + /// source.user.user.full_name + /// User's full name, if available. + /// Albert Einstein /// - public static string NetworkDirection = nameof(NetworkDirection); + public static string SourceUserUserFullName = nameof(SourceUserUserFullName); /// - /// network.forwarded_ip - /// Host IP address when the source IP address is the proxy. - /// 192.1.1.2 + /// source.user.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// /// - public static string NetworkForwardedIp = nameof(NetworkForwardedIp); + public static string SourceUserUserHash = nameof(SourceUserUserHash); /// - /// network.iana_number - /// IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - /// 6 + /// source.user.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string NetworkIanaNumber = nameof(NetworkIanaNumber); + public static string SourceUserUserId = nameof(SourceUserUserId); /// - /// network.name - /// Name given by operators to sections of their network. - /// Guest Wifi + /// source.user.user.name + /// Short name or login of the user. + /// a.einstein /// - public static string NetworkName = nameof(NetworkName); + public static string SourceUserUserName = nameof(SourceUserUserName); /// - /// network.packets - /// Total packets transferred in both directions. - /// If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - /// 24 + /// threat.feed.dashboard_id + /// The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. + /// 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f /// - public static string NetworkPackets = nameof(NetworkPackets); + public static string ThreatFeedDashboardId = nameof(ThreatFeedDashboardId); /// - /// network.protocol - /// In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - /// The field value must be normalized to lowercase for querying. - /// http + /// threat.feed.description + /// Description of the threat feed in a UI friendly format. + /// Threat feed from the AlienVault Open Threat eXchange network. /// - public static string NetworkProtocol = nameof(NetworkProtocol); + public static string ThreatFeedDescription = nameof(ThreatFeedDescription); /// - /// network.transport - /// Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - /// The field value must be normalized to lowercase for querying. - /// tcp + /// threat.feed.name + /// The name of the threat feed in UI friendly format. + /// AlienVault OTX /// - public static string NetworkTransport = nameof(NetworkTransport); + public static string ThreatFeedName = nameof(ThreatFeedName); /// - /// network.type - /// In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - /// The field value must be normalized to lowercase for querying. - /// ipv4 + /// threat.feed.reference + /// Reference information for the threat feed in a UI friendly format. + /// https://otx.alienvault.com /// - public static string NetworkType = nameof(NetworkType); + public static string ThreatFeedReference = nameof(ThreatFeedReference); /// - /// observer.hostname - /// Hostname of the observer. - /// + /// threat.framework + /// Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + /// MITRE ATT&CK /// - public static string ObserverHostname = nameof(ObserverHostname); + public static string ThreatFramework = nameof(ThreatFramework); /// - /// observer.name - /// Custom name of the observer. - /// This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - /// If no custom name is needed, the field can be left empty. - /// 1_proxySG + /// threat.group.id + /// The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. + /// While not required, you can use a MITRE ATT&CK® group id. + /// G0037 /// - public static string ObserverName = nameof(ObserverName); + public static string ThreatGroupId = nameof(ThreatGroupId); /// - /// observer.product - /// The product name of the observer. - /// s200 + /// threat.group.name + /// The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. + /// While not required, you can use a MITRE ATT&CK® group name. + /// FIN6 /// - public static string ObserverProduct = nameof(ObserverProduct); + public static string ThreatGroupName = nameof(ThreatGroupName); /// - /// observer.serial_number - /// Observer serial number. - /// + /// threat.group.reference + /// The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. + /// While not required, you can use a MITRE ATT&CK® group reference URL. + /// https://attack.mitre.org/groups/G0037/ /// - public static string ObserverSerialNumber = nameof(ObserverSerialNumber); + public static string ThreatGroupReference = nameof(ThreatGroupReference); /// - /// observer.type - /// The type of the observer the data is coming from. - /// There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - /// firewall + /// threat.indicator.confidence + /// Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + ///
Expected Values: + /// + /// Not Specified + /// None + /// Low + /// Medium + /// High + /// + /// Medium /// - public static string ObserverType = nameof(ObserverType); + public static string ThreatIndicatorConfidence = nameof(ThreatIndicatorConfidence); /// - /// observer.vendor - /// Vendor name of the observer. - /// Symantec + /// threat.indicator.description + /// Describes the type of action conducted by the threat. + /// IP x.x.x.x was observed delivering the Angler EK. + /// + public static string ThreatIndicatorDescription = nameof(ThreatIndicatorDescription); + /// + /// threat.indicator.email.address + /// Identifies a threat indicator as an email address (irrespective of direction). + /// phish@example.com /// - public static string ObserverVendor = nameof(ObserverVendor); + public static string ThreatIndicatorEmailAddress = nameof(ThreatIndicatorEmailAddress); /// - /// observer.version - /// Observer version. - /// + /// threat.indicator.first_seen + /// The date and time when intelligence source first reported sighting this indicator. + /// 11/5/2020 5:25:47 PM /// - public static string ObserverVersion = nameof(ObserverVersion); + public static string ThreatIndicatorFirstSeen = nameof(ThreatIndicatorFirstSeen); /// - /// orchestrator.api_version - /// API version being used to carry out the action - /// v1beta1 + /// threat.indicator.ip + /// Identifies a threat indicator as an IP address (irrespective of direction). + /// 1.2.3.4 /// - public static string OrchestratorApiVersion = nameof(OrchestratorApiVersion); + public static string ThreatIndicatorIp = nameof(ThreatIndicatorIp); /// - /// orchestrator.cluster.id - /// Unique ID of the cluster. - /// + /// threat.indicator.last_seen + /// The date and time when intelligence source last reported sighting this indicator. + /// 11/5/2020 5:25:47 PM /// - public static string OrchestratorClusterId = nameof(OrchestratorClusterId); + public static string ThreatIndicatorLastSeen = nameof(ThreatIndicatorLastSeen); /// - /// orchestrator.cluster.name - /// Name of the cluster. - /// + /// threat.indicator.marking.tlp + /// Traffic Light Protocol sharing markings. + ///
Expected Values: + /// + /// WHITE + /// CLEAR + /// GREEN + /// AMBER + /// AMBER+STRICT + /// RED + /// + /// CLEAR /// - public static string OrchestratorClusterName = nameof(OrchestratorClusterName); + public static string ThreatIndicatorMarkingTlp = nameof(ThreatIndicatorMarkingTlp); /// - /// orchestrator.cluster.url - /// URL of the API used to manage the cluster. - /// + /// threat.indicator.marking.tlp_version + /// Traffic Light Protocol version. + /// 2.0 /// - public static string OrchestratorClusterUrl = nameof(OrchestratorClusterUrl); + public static string ThreatIndicatorMarkingTlpVersion = nameof(ThreatIndicatorMarkingTlpVersion); /// - /// orchestrator.cluster.version - /// The version of the cluster. - /// + /// threat.indicator.modified_at + /// The date and time when intelligence source last modified information for this indicator. + /// 11/5/2020 5:25:47 PM /// - public static string OrchestratorClusterVersion = nameof(OrchestratorClusterVersion); + public static string ThreatIndicatorModifiedAt = nameof(ThreatIndicatorModifiedAt); /// - /// orchestrator.namespace - /// Namespace in which the action is taking place. - /// kube-system + /// threat.indicator.name + /// The display name indicator in an UI friendly format + /// URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. + /// 5.2.75.227 /// - public static string OrchestratorNamespace = nameof(OrchestratorNamespace); + public static string ThreatIndicatorName = nameof(ThreatIndicatorName); /// - /// orchestrator.organization - /// Organization affected by the event (for multi-tenant orchestrator setups). - /// elastic + /// threat.indicator.port + /// Identifies a threat indicator as a port number (irrespective of direction). + /// 443 /// - public static string OrchestratorOrganization = nameof(OrchestratorOrganization); + public static string ThreatIndicatorPort = nameof(ThreatIndicatorPort); /// - /// orchestrator.resource.id - /// Unique ID of the resource being acted upon. - /// + /// threat.indicator.provider + /// The name of the indicator's provider. + /// lrz_urlhaus /// - public static string OrchestratorResourceId = nameof(OrchestratorResourceId); + public static string ThreatIndicatorProvider = nameof(ThreatIndicatorProvider); /// - /// orchestrator.resource.name - /// Name of the resource being acted upon. - /// test-pod-cdcws + /// threat.indicator.reference + /// Reference URL linking to additional information about this indicator. + /// https://system.example.com/indicator/0001234 /// - public static string OrchestratorResourceName = nameof(OrchestratorResourceName); + public static string ThreatIndicatorReference = nameof(ThreatIndicatorReference); /// - /// orchestrator.resource.parent.type - /// Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet). - /// DaemonSet + /// threat.indicator.scanner_stats + /// Count of AV/EDR vendors that successfully detected malicious file or URL. + /// 4 /// - public static string OrchestratorResourceParentType = nameof(OrchestratorResourceParentType); + public static string ThreatIndicatorScannerStats = nameof(ThreatIndicatorScannerStats); /// - /// orchestrator.resource.type - /// Type of resource being acted upon. - /// service + /// threat.indicator.sightings + /// Number of times this indicator was observed conducting threat activity. + /// 20 /// - public static string OrchestratorResourceType = nameof(OrchestratorResourceType); + public static string ThreatIndicatorSightings = nameof(ThreatIndicatorSightings); /// - /// orchestrator.type - /// Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - /// kubernetes + /// threat.indicator.type + /// Type of indicator as represented by Cyber Observable in STIX 2.0. + ///
Expected Values: + /// + /// autonomous-system + /// artifact + /// directory + /// domain-name + /// email-addr + /// file + /// ipv4-addr + /// ipv6-addr + /// mac-addr + /// mutex + /// port + /// process + /// software + /// url + /// user-account + /// windows-registry-key + /// x509-certificate + /// + /// ipv4-addr /// - public static string OrchestratorType = nameof(OrchestratorType); + public static string ThreatIndicatorType = nameof(ThreatIndicatorType); /// - /// organization.id - /// Unique identifier for the organization. - /// + /// threat.software.id + /// The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + /// While not required, you can use a MITRE ATT&CK® software id. + /// S0552 /// - public static string OrganizationId = nameof(OrganizationId); + public static string ThreatSoftwareId = nameof(ThreatSoftwareId); /// - /// organization.name - /// Organization name. - /// + /// threat.software.name + /// The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + /// While not required, you can use a MITRE ATT&CK® software name. + /// AdFind /// - public static string OrganizationName = nameof(OrganizationName); + public static string ThreatSoftwareName = nameof(ThreatSoftwareName); /// - /// os.family - /// OS family (such as redhat, debian, freebsd, windows). - /// debian + /// threat.software.reference + /// The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + /// While not required, you can use a MITRE ATT&CK® software reference URL. + /// https://attack.mitre.org/software/S0552/ /// - public static string OsFamily = nameof(OsFamily); + public static string ThreatSoftwareReference = nameof(ThreatSoftwareReference); /// - /// os.full - /// Operating system name, including the version or code name. - /// Mac OS Mojave + /// threat.software.type + /// The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + /// While not required, you can use a MITRE ATT&CK® software type. + ///
Expected Values: + /// + /// Malware + /// Tool + /// + /// Tool /// - public static string OsFull = nameof(OsFull); + public static string ThreatSoftwareType = nameof(ThreatSoftwareType); /// - /// os.kernel - /// Operating system kernel version as a raw string. - /// 4.4.0-112-generic + /// threat.x509.issuer.distinguished_name + /// Distinguished name (DN) of issuing certificate authority. + /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA /// - public static string OsKernel = nameof(OsKernel); + public static string ThreatX509IssuerDistinguishedName = nameof(ThreatX509IssuerDistinguishedName); /// - /// os.name - /// Operating system name, without the version. - /// Mac OS X + /// threat.x509.not_after + /// Time at which the certificate is no longer considered valid. + /// 7/16/2020 3:15:39 AM /// - public static string OsName = nameof(OsName); + public static string ThreatX509NotAfter = nameof(ThreatX509NotAfter); /// - /// os.platform - /// Operating system platform (such centos, ubuntu, windows). - /// darwin + /// threat.x509.not_before + /// Time at which the certificate is first considered valid. + /// 8/16/2019 1:40:25 AM /// - public static string OsPlatform = nameof(OsPlatform); + public static string ThreatX509NotBefore = nameof(ThreatX509NotBefore); /// - /// os.type - /// Use the `os.type` field to categorize the operating system into one of the broad commercial families. - /// If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - ///
Expected Values: - /// - /// linux - /// macos - /// unix - /// windows - /// ios - /// android - /// - /// macos + /// threat.x509.public_key_algorithm + /// Algorithm used to generate the public key. + /// RSA /// - public static string OsType = nameof(OsType); + public static string ThreatX509PublicKeyAlgorithm = nameof(ThreatX509PublicKeyAlgorithm); /// - /// os.version - /// Operating system version as a raw string. - /// 10.14.1 + /// threat.x509.public_key_curve + /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. + /// nistp521 /// - public static string OsVersion = nameof(OsVersion); + public static string ThreatX509PublicKeyCurve = nameof(ThreatX509PublicKeyCurve); /// - /// package.architecture - /// Package architecture. - /// x86_64 + /// threat.x509.public_key_exponent + /// Exponent used to derive the public key. This is algorithm specific. + ///
Stored but not available for search in Elasticsearch by default + /// 65537 /// - public static string PackageArchitecture = nameof(PackageArchitecture); + public static string ThreatX509PublicKeyExponent = nameof(ThreatX509PublicKeyExponent); /// - /// package.build_version - /// Additional information about the build version of the installed package. - /// For example use the commit SHA of a non-released package. - /// 36f4f7e89dd61b0988b12ee000b98966867710cd + /// threat.x509.public_key_size + /// The size of the public key space in bits. + /// 2048 /// - public static string PackageBuildVersion = nameof(PackageBuildVersion); + public static string ThreatX509PublicKeySize = nameof(ThreatX509PublicKeySize); /// - /// package.checksum - /// Checksum of the installed package for verification. - /// 68b329da9893e34099c7d8ad5cb9c940 + /// threat.x509.serial_number + /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + /// 55FBB9C7DEBF09809D12CCAA /// - public static string PackageChecksum = nameof(PackageChecksum); + public static string ThreatX509SerialNumber = nameof(ThreatX509SerialNumber); /// - /// package.description - /// Description of the package. - /// Open source programming language to build simple/reliable/efficient software. + /// threat.x509.signature_algorithm + /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + /// SHA256-RSA /// - public static string PackageDescription = nameof(PackageDescription); + public static string ThreatX509SignatureAlgorithm = nameof(ThreatX509SignatureAlgorithm); /// - /// package.install_scope - /// Indicating how the package was installed, e.g. user-local, global. - /// global + /// threat.x509.subject.distinguished_name + /// Distinguished name (DN) of the certificate subject entity. + /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net /// - public static string PackageInstallScope = nameof(PackageInstallScope); + public static string ThreatX509SubjectDistinguishedName = nameof(ThreatX509SubjectDistinguishedName); /// - /// package.installed - /// Time when package was installed. - /// + /// threat.x509.version_number + /// Version of x509 format. + /// 3 /// - public static string PackageInstalled = nameof(PackageInstalled); + public static string ThreatX509VersionNumber = nameof(ThreatX509VersionNumber); /// - /// package.license - /// License under which the package was released. - /// Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). - /// Apache License 2.0 + /// threat.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 /// - public static string PackageLicense = nameof(PackageLicense); + public static string ThreatAsNumber = nameof(ThreatAsNumber); /// - /// package.name - /// Package name - /// go + /// threat.as.organization.name + /// Organization name. + /// Google LLC /// - public static string PackageName = nameof(PackageName); + public static string ThreatAsOrganizationName = nameof(ThreatAsOrganizationName); /// - /// package.path - /// Path where the package is installed. - /// /usr/local/Cellar/go/1.12.9/ + /// threat.file.accessed + /// Last time the file was accessed. + /// Note that not all filesystems keep track of access time. + /// /// - public static string PackagePath = nameof(PackagePath); + public static string ThreatFileAccessed = nameof(ThreatFileAccessed); /// - /// package.reference - /// Home page or reference URL of the software in this package, if available. - /// https://golang.org + /// threat.file.created + /// File creation time. + /// Note that not all filesystems store the creation time. + /// /// - public static string PackageReference = nameof(PackageReference); + public static string ThreatFileCreated = nameof(ThreatFileCreated); /// - /// package.size - /// Package size in bytes. - /// 62231 + /// threat.file.ctime + /// Last time the file attributes or metadata changed. + /// Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + /// /// - public static string PackageSize = nameof(PackageSize); + public static string ThreatFileCtime = nameof(ThreatFileCtime); /// - /// package.type - /// Type of package. - /// This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. - /// rpm + /// threat.file.device + /// Device that is the source of the file. + /// sda /// - public static string PackageType = nameof(PackageType); + public static string ThreatFileDevice = nameof(ThreatFileDevice); /// - /// package.version - /// Package version - /// 1.12.9 + /// threat.file.directory + /// Directory where the file is located. It should include the drive letter, when appropriate. + /// /home/alice /// - public static string PackageVersion = nameof(PackageVersion); + public static string ThreatFileDirectory = nameof(ThreatFileDirectory); /// - /// pe.architecture - /// CPU architecture target for the file. - /// x64 + /// threat.file.drive_letter + /// Drive letter where the file is located. This field is only relevant on Windows. + /// The value should be uppercase, and not include the colon. + /// C /// - public static string PeArchitecture = nameof(PeArchitecture); + public static string ThreatFileDriveLetter = nameof(ThreatFileDriveLetter); /// - /// pe.company - /// Internal company name of the file, provided at compile-time. - /// Microsoft Corporation + /// threat.file.extension + /// File extension, excluding the leading dot. + /// Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + /// png /// - public static string PeCompany = nameof(PeCompany); + public static string ThreatFileExtension = nameof(ThreatFileExtension); /// - /// pe.description - /// Internal description of the file, provided at compile-time. - /// Paint + /// threat.file.fork_name + /// A fork is additional data associated with a filesystem object. + /// On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. + /// On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + /// Zone.Identifer /// - public static string PeDescription = nameof(PeDescription); + public static string ThreatFileForkName = nameof(ThreatFileForkName); /// - /// pe.file_version - /// Internal version of the file, provided at compile-time. - /// 6.3.9600.17415 + /// threat.file.gid + /// Primary group ID (GID) of the file. + /// 1001 /// - public static string PeFileVersion = nameof(PeFileVersion); + public static string ThreatFileGid = nameof(ThreatFileGid); /// - /// pe.go_import_hash - /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). - /// 10bddcb4cee42080f76c88d9ff964491 + /// threat.file.group + /// Primary group name of the file. + /// alice /// - public static string PeGoImportHash = nameof(PeGoImportHash); + public static string ThreatFileGroup = nameof(ThreatFileGroup); /// - /// pe.go_imports - /// List of imported Go language element names and types. - /// + /// threat.file.inode + /// Inode representing the file in the filesystem. + /// 256383 /// - public static string PeGoImports = nameof(PeGoImports); + public static string ThreatFileInode = nameof(ThreatFileInode); /// - /// pe.go_imports_names_entropy - /// Shannon entropy calculation from the list of Go imports. + /// threat.file.mime_type + /// MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. /// /// - public static string PeGoImportsNamesEntropy = nameof(PeGoImportsNamesEntropy); + public static string ThreatFileMimeType = nameof(ThreatFileMimeType); /// - /// pe.go_imports_names_var_entropy - /// Variance for Shannon entropy calculation from the list of Go imports. - /// + /// threat.file.mode + /// Mode of the file in octal representation. + /// 0640 /// - public static string PeGoImportsNamesVarEntropy = nameof(PeGoImportsNamesVarEntropy); + public static string ThreatFileMode = nameof(ThreatFileMode); /// - /// pe.go_stripped - /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// threat.file.mtime + /// Last time the file content was modified. /// /// - public static string PeGoStripped = nameof(PeGoStripped); + public static string ThreatFileMtime = nameof(ThreatFileMtime); /// - /// pe.imphash - /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - /// 0c6803c4e922103c4dca5963aad36ddf + /// threat.file.name + /// Name of the file including the extension, without the directory. + /// example.png /// - public static string PeImphash = nameof(PeImphash); + public static string ThreatFileName = nameof(ThreatFileName); /// - /// pe.import_hash - /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// This is a synonym for imphash. - /// d41d8cd98f00b204e9800998ecf8427e + /// threat.file.owner + /// File owner's username. + /// alice /// - public static string PeImportHash = nameof(PeImportHash); + public static string ThreatFileOwner = nameof(ThreatFileOwner); /// - /// pe.imports_names_entropy - /// Shannon entropy calculation from the list of imported element names and types. - /// + /// threat.file.path + /// Full path to the file, including the file name. It should include the drive letter, when appropriate. + /// /home/alice/example.png /// - public static string PeImportsNamesEntropy = nameof(PeImportsNamesEntropy); + public static string ThreatFilePath = nameof(ThreatFilePath); /// - /// pe.imports_names_var_entropy - /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// threat.file.size + /// File size in bytes. + /// Only relevant when `file.type` is "file". + /// 16384 + /// + public static string ThreatFileSize = nameof(ThreatFileSize); + /// + /// threat.file.target_path + /// Target path for symlinks. /// /// - public static string PeImportsNamesVarEntropy = nameof(PeImportsNamesVarEntropy); + public static string ThreatFileTargetPath = nameof(ThreatFileTargetPath); /// - /// pe.original_file_name - /// Internal name of the file, provided at compile-time. - /// MSPAINT.EXE + /// threat.file.type + /// File type (file, dir, or symlink). + /// file /// - public static string PeOriginalFileName = nameof(PeOriginalFileName); + public static string ThreatFileType = nameof(ThreatFileType); /// - /// pe.pehash - /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. - /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. - /// 73ff189b63cd6be375a7ff25179a38d347651975 + /// threat.file.uid + /// The user ID (UID) or security identifier (SID) of the file owner. + /// 1001 /// - public static string PePehash = nameof(PePehash); + public static string ThreatFileUid = nameof(ThreatFileUid); /// - /// pe.product - /// Internal product name of the file, provided at compile-time. - /// Microsoft® Windows® Operating System + /// threat.file.hash.md5 + /// MD5 hash. + /// /// - public static string PeProduct = nameof(PeProduct); + public static string ThreatFileHashMd5 = nameof(ThreatFileHashMd5); /// - /// process.args_count - /// Length of the process.args array. - /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - /// 4 + /// threat.file.hash.sha1 + /// SHA1 hash. + /// /// - public static string ProcessArgsCount = nameof(ProcessArgsCount); + public static string ThreatFileHashSha1 = nameof(ThreatFileHashSha1); /// - /// process.command_line - /// Full command line that started the process, including the absolute path to the executable, and all arguments. - /// Some arguments may be filtered to protect sensitive information. - /// /usr/bin/ssh -l user 10.0.0.16 + /// threat.file.hash.sha256 + /// SHA256 hash. + /// /// - public static string ProcessCommandLine = nameof(ProcessCommandLine); + public static string ThreatFileHashSha256 = nameof(ThreatFileHashSha256); /// - /// process.end - /// The time the process ended. - /// 5/23/2016 8:05:34 AM + /// threat.file.hash.sha384 + /// SHA384 hash. + /// /// - public static string ProcessEnd = nameof(ProcessEnd); + public static string ThreatFileHashSha384 = nameof(ThreatFileHashSha384); /// - /// process.entity_id - /// Unique identifier for the process. - /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - /// c2c455d9f99375d + /// threat.file.hash.sha512 + /// SHA512 hash. + /// /// - public static string ProcessEntityId = nameof(ProcessEntityId); + public static string ThreatFileHashSha512 = nameof(ThreatFileHashSha512); /// - /// process.executable - /// Absolute path to the process executable. - /// /usr/bin/ssh + /// threat.file.hash.ssdeep + /// SSDEEP hash. + /// /// - public static string ProcessExecutable = nameof(ProcessExecutable); + public static string ThreatFileHashSsdeep = nameof(ThreatFileHashSsdeep); /// - /// process.exit_code - /// The exit code of the process, if this is a termination event. - /// The field should be absent if there is no exit code for the event (e.g. process start). - /// 137 + /// threat.file.hash.tlsh + /// TLSH hash. + /// /// - public static string ProcessExitCode = nameof(ProcessExitCode); + public static string ThreatFileHashTlsh = nameof(ThreatFileHashTlsh); /// - /// process.interactive - /// Whether the process is connected to an interactive shell. - /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. - /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. - /// true + /// threat.file.pe.architecture + /// CPU architecture target for the file. + /// x64 /// - public static string ProcessInteractive = nameof(ProcessInteractive); + public static string ThreatFilePeArchitecture = nameof(ThreatFilePeArchitecture); /// - /// process.name - /// Process name. - /// Sometimes called program name or similar. - /// ssh + /// threat.file.pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation /// - public static string ProcessName = nameof(ProcessName); + public static string ThreatFilePeCompany = nameof(ThreatFilePeCompany); /// - /// process.pgid - /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - /// Identifier of the group of processes the process belongs to. - /// + /// threat.file.pe.description + /// Internal description of the file, provided at compile-time. + /// Paint /// - public static string ProcessPgid = nameof(ProcessPgid); + public static string ThreatFilePeDescription = nameof(ThreatFilePeDescription); /// - /// process.pid - /// Process id. - /// 4242 + /// threat.file.pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 /// - public static string ProcessPid = nameof(ProcessPid); + public static string ThreatFilePeFileVersion = nameof(ThreatFilePeFileVersion); /// - /// process.start - /// The time the process started. - /// 5/23/2016 8:05:34 AM + /// threat.file.pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string ProcessStart = nameof(ProcessStart); + public static string ThreatFilePeGoImportHash = nameof(ThreatFilePeGoImportHash); /// - /// process.thread.id - /// Thread ID. - /// 4242 + /// threat.file.pe.go_imports + /// List of imported Go language element names and types. + /// /// - public static string ProcessThreadId = nameof(ProcessThreadId); + public static string ThreatFilePeGoImports = nameof(ThreatFilePeGoImports); /// - /// process.thread.name - /// Thread name. - /// thread-0 + /// threat.file.pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// /// - public static string ProcessThreadName = nameof(ProcessThreadName); + public static string ThreatFilePeGoImportsNamesEntropy = nameof(ThreatFilePeGoImportsNamesEntropy); /// - /// process.title - /// Process title. - /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// threat.file.pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string ProcessTitle = nameof(ProcessTitle); + public static string ThreatFilePeGoImportsNamesVarEntropy = nameof(ThreatFilePeGoImportsNamesVarEntropy); /// - /// process.uptime - /// Seconds the process has been up. - /// 1325 + /// threat.file.pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// /// - public static string ProcessUptime = nameof(ProcessUptime); + public static string ThreatFilePeGoStripped = nameof(ThreatFilePeGoStripped); /// - /// process.vpid - /// Virtual process id. - /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. - /// 4242 + /// threat.file.pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf /// - public static string ProcessVpid = nameof(ProcessVpid); + public static string ThreatFilePeImphash = nameof(ThreatFilePeImphash); /// - /// process.working_directory - /// The working directory of the process. - /// /home/alice + /// threat.file.pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e /// - public static string ProcessWorkingDirectory = nameof(ProcessWorkingDirectory); + public static string ThreatFilePeImportHash = nameof(ThreatFilePeImportHash); /// - /// registry.data.bytes - /// Original bytes written with base64 encoding. - /// For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - /// ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + /// threat.file.pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string RegistryDataBytes = nameof(RegistryDataBytes); + public static string ThreatFilePeImportsNamesEntropy = nameof(ThreatFilePeImportsNamesEntropy); /// - /// registry.data.type - /// Standard registry type for encoding contents - /// REG_SZ + /// threat.file.pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string RegistryDataType = nameof(RegistryDataType); + public static string ThreatFilePeImportsNamesVarEntropy = nameof(ThreatFilePeImportsNamesVarEntropy); /// - /// registry.hive - /// Abbreviated name for the hive. - /// HKLM + /// threat.file.pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE /// - public static string RegistryHive = nameof(RegistryHive); + public static string ThreatFilePeOriginalFileName = nameof(ThreatFilePeOriginalFileName); /// - /// registry.key - /// Hive-relative path of keys. - /// SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + /// threat.file.pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 /// - public static string RegistryKey = nameof(RegistryKey); + public static string ThreatFilePePehash = nameof(ThreatFilePePehash); /// - /// registry.path - /// Full path, including hive, key and value - /// HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + /// threat.file.pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System /// - public static string RegistryPath = nameof(RegistryPath); + public static string ThreatFilePeProduct = nameof(ThreatFilePeProduct); /// - /// registry.value - /// Name of the value written. - /// Debugger + /// threat.file.x509.issuer.distinguished_name + /// Distinguished name (DN) of issuing certificate authority. + /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA /// - public static string RegistryValue = nameof(RegistryValue); + public static string ThreatFileX509IssuerDistinguishedName = nameof(ThreatFileX509IssuerDistinguishedName); /// - /// risk.calculated_level - /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. - /// High + /// threat.file.x509.not_after + /// Time at which the certificate is no longer considered valid. + /// 7/16/2020 3:15:39 AM /// - public static string RiskCalculatedLevel = nameof(RiskCalculatedLevel); + public static string ThreatFileX509NotAfter = nameof(ThreatFileX509NotAfter); /// - /// risk.calculated_score - /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. - /// 880.73 + /// threat.file.x509.not_before + /// Time at which the certificate is first considered valid. + /// 8/16/2019 1:40:25 AM /// - public static string RiskCalculatedScore = nameof(RiskCalculatedScore); + public static string ThreatFileX509NotBefore = nameof(ThreatFileX509NotBefore); /// - /// risk.calculated_score_norm - /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. - /// 88.73 + /// threat.file.x509.public_key_algorithm + /// Algorithm used to generate the public key. + /// RSA /// - public static string RiskCalculatedScoreNorm = nameof(RiskCalculatedScoreNorm); + public static string ThreatFileX509PublicKeyAlgorithm = nameof(ThreatFileX509PublicKeyAlgorithm); /// - /// risk.static_level - /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. - /// High + /// threat.file.x509.public_key_curve + /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. + /// nistp521 /// - public static string RiskStaticLevel = nameof(RiskStaticLevel); + public static string ThreatFileX509PublicKeyCurve = nameof(ThreatFileX509PublicKeyCurve); /// - /// risk.static_score - /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. - /// 830.0 + /// threat.file.x509.public_key_exponent + /// Exponent used to derive the public key. This is algorithm specific. + ///
Stored but not available for search in Elasticsearch by default + /// 65537 /// - public static string RiskStaticScore = nameof(RiskStaticScore); + public static string ThreatFileX509PublicKeyExponent = nameof(ThreatFileX509PublicKeyExponent); /// - /// risk.static_score_norm - /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. - /// 83.0 + /// threat.file.x509.public_key_size + /// The size of the public key space in bits. + /// 2048 /// - public static string RiskStaticScoreNorm = nameof(RiskStaticScoreNorm); + public static string ThreatFileX509PublicKeySize = nameof(ThreatFileX509PublicKeySize); /// - /// rule.category - /// A categorization value keyword used by the entity using the rule for detection of this event. - /// Attempted Information Leak + /// threat.file.x509.serial_number + /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + /// 55FBB9C7DEBF09809D12CCAA /// - public static string RuleCategory = nameof(RuleCategory); + public static string ThreatFileX509SerialNumber = nameof(ThreatFileX509SerialNumber); /// - /// rule.description - /// The description of the rule generating the event. - /// Block requests to public DNS over HTTPS / TLS protocols + /// threat.file.x509.signature_algorithm + /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + /// SHA256-RSA /// - public static string RuleDescription = nameof(RuleDescription); + public static string ThreatFileX509SignatureAlgorithm = nameof(ThreatFileX509SignatureAlgorithm); /// - /// rule.id - /// A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - /// 101 + /// threat.file.x509.subject.distinguished_name + /// Distinguished name (DN) of the certificate subject entity. + /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net /// - public static string RuleId = nameof(RuleId); + public static string ThreatFileX509SubjectDistinguishedName = nameof(ThreatFileX509SubjectDistinguishedName); /// - /// rule.license - /// Name of the license under which the rule used to generate this event is made available. - /// Apache 2.0 + /// threat.file.x509.version_number + /// Version of x509 format. + /// 3 /// - public static string RuleLicense = nameof(RuleLicense); + public static string ThreatFileX509VersionNumber = nameof(ThreatFileX509VersionNumber); /// - /// rule.name - /// The name of the rule or signature generating the event. - /// BLOCK_DNS_over_TLS + /// threat.file.code_signature.digest_algorithm + /// The hashing algorithm used to sign the process. + /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + /// sha256 /// - public static string RuleName = nameof(RuleName); + public static string ThreatFileCodeSignatureDigestAlgorithm = nameof(ThreatFileCodeSignatureDigestAlgorithm); /// - /// rule.reference - /// Reference URL to additional information about the rule used to generate this event. - /// The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. - /// https://en.wikipedia.org/wiki/DNS_over_TLS + /// threat.file.code_signature.exists + /// Boolean to capture if a signature is present. + /// true /// - public static string RuleReference = nameof(RuleReference); + public static string ThreatFileCodeSignatureExists = nameof(ThreatFileCodeSignatureExists); /// - /// rule.ruleset - /// Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - /// Standard_Protocol_Filters + /// threat.file.code_signature.signing_id + /// The identifier used to sign the process. + /// This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + /// com.apple.xpc.proxy /// - public static string RuleRuleset = nameof(RuleRuleset); + public static string ThreatFileCodeSignatureSigningId = nameof(ThreatFileCodeSignatureSigningId); /// - /// rule.uuid - /// A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - /// 1100110011 + /// threat.file.code_signature.status + /// Additional information about the certificate status. + /// This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + /// ERROR_UNTRUSTED_ROOT /// - public static string RuleUuid = nameof(RuleUuid); + public static string ThreatFileCodeSignatureStatus = nameof(ThreatFileCodeSignatureStatus); /// - /// rule.version - /// The version / revision of the rule being used for analysis. - /// 1.1 + /// threat.file.code_signature.subject_name + /// Subject name of the code signer + /// Microsoft Corporation /// - public static string RuleVersion = nameof(RuleVersion); + public static string ThreatFileCodeSignatureSubjectName = nameof(ThreatFileCodeSignatureSubjectName); /// - /// server.address - /// Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - /// + /// threat.file.code_signature.team_id + /// The team identifier used to sign the process. + /// This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + /// EQHXZ8M8AV /// - public static string ServerAddress = nameof(ServerAddress); + public static string ThreatFileCodeSignatureTeamId = nameof(ThreatFileCodeSignatureTeamId); /// - /// server.bytes - /// Bytes sent from the server to the client. - /// 184 + /// threat.file.code_signature.timestamp + /// Date and time when the code signature was generated and signed. + /// 1/1/2021 12:10:30 PM /// - public static string ServerBytes = nameof(ServerBytes); + public static string ThreatFileCodeSignatureTimestamp = nameof(ThreatFileCodeSignatureTimestamp); /// - /// server.domain - /// The domain name of the server system. - /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - /// foo.example.com + /// threat.file.code_signature.trusted + /// Stores the trust status of the certificate chain. + /// Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + /// true /// - public static string ServerDomain = nameof(ServerDomain); + public static string ThreatFileCodeSignatureTrusted = nameof(ThreatFileCodeSignatureTrusted); /// - /// server.ip - /// IP address of the server (IPv4 or IPv6). - /// + /// threat.file.code_signature.valid + /// Boolean to capture if the digital signature is verified against the binary content. + /// Leave unpopulated if a certificate was unchecked. + /// true /// - public static string ServerIp = nameof(ServerIp); + public static string ThreatFileCodeSignatureValid = nameof(ThreatFileCodeSignatureValid); /// - /// server.mac - /// MAC address of the server. - /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - /// pattern: - /// 00-00-5E-00-53-23 + /// threat.file.elf.architecture + /// Machine architecture of the ELF file. + /// x86-64 /// - public static string ServerMac = nameof(ServerMac); + public static string ThreatFileElfArchitecture = nameof(ThreatFileElfArchitecture); /// - /// server.nat.ip - /// Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - /// Typically used with load balancers, firewalls, or routers. - /// + /// threat.file.elf.byte_order + /// Byte sequence of ELF file. + /// Little Endian /// - public static string ServerNatIp = nameof(ServerNatIp); + public static string ThreatFileElfByteOrder = nameof(ThreatFileElfByteOrder); /// - /// server.nat.port - /// Translated port of destination based NAT sessions (e.g. internet to private DMZ) - /// Typically used with load balancers, firewalls, or routers. + /// threat.file.elf.cpu_type + /// CPU type of the ELF file. + /// Intel + /// + public static string ThreatFileElfCpuType = nameof(ThreatFileElfCpuType); + /// + /// threat.file.elf.creation_date + /// Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. /// /// - public static string ServerNatPort = nameof(ServerNatPort); + public static string ThreatFileElfCreationDate = nameof(ThreatFileElfCreationDate); /// - /// server.packets - /// Packets sent from the server to the client. - /// 12 + /// threat.file.elf.go_import_hash + /// A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string ServerPackets = nameof(ServerPackets); + public static string ThreatFileElfGoImportHash = nameof(ThreatFileElfGoImportHash); /// - /// server.port - /// Port of the server. + /// threat.file.elf.go_imports + /// List of imported Go language element names and types. /// /// - public static string ServerPort = nameof(ServerPort); + public static string ThreatFileElfGoImports = nameof(ThreatFileElfGoImports); /// - /// server.registered_domain - /// The highest registered server domain, stripped of the subdomain. - /// For example, the registered domain for "foo.example.com" is "example.com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - /// example.com + /// threat.file.elf.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// /// - public static string ServerRegisteredDomain = nameof(ServerRegisteredDomain); + public static string ThreatFileElfGoImportsNamesEntropy = nameof(ThreatFileElfGoImportsNamesEntropy); /// - /// server.subdomain - /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - /// east + /// threat.file.elf.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// /// - public static string ServerSubdomain = nameof(ServerSubdomain); + public static string ThreatFileElfGoImportsNamesVarEntropy = nameof(ThreatFileElfGoImportsNamesVarEntropy); /// - /// server.top_level_domain - /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - /// co.uk + /// threat.file.elf.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// /// - public static string ServerTopLevelDomain = nameof(ServerTopLevelDomain); + public static string ThreatFileElfGoStripped = nameof(ThreatFileElfGoStripped); /// - /// service.address - /// Address where data about this service was collected from. - /// This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - /// 172.26.0.2:5432 + /// threat.file.elf.header.abi_version + /// Version of the ELF Application Binary Interface (ABI). + /// /// - public static string ServiceAddress = nameof(ServiceAddress); + public static string ThreatFileElfHeaderAbiVersion = nameof(ThreatFileElfHeaderAbiVersion); /// - /// service.environment - /// Identifies the environment where the service is running. - /// If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. - ///
This field is beta and subject to change. - /// production + /// threat.file.elf.header.class + /// Header class of the ELF file. + /// /// - public static string ServiceEnvironment = nameof(ServiceEnvironment); + public static string ThreatFileElfHeaderClass = nameof(ThreatFileElfHeaderClass); /// - /// service.ephemeral_id - /// Ephemeral identifier of this service (if one exists). - /// This id normally changes across restarts, but `service.id` does not. - /// 8a4f500f + /// threat.file.elf.header.data + /// Data table of the ELF header. + /// /// - public static string ServiceEphemeralId = nameof(ServiceEphemeralId); - /// - /// service.id - /// Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. - /// This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. - /// Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - /// d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + public static string ThreatFileElfHeaderData = nameof(ThreatFileElfHeaderData); + /// + /// threat.file.elf.header.entrypoint + /// Header entrypoint of the ELF file. + /// /// - public static string ServiceId = nameof(ServiceId); + public static string ThreatFileElfHeaderEntrypoint = nameof(ThreatFileElfHeaderEntrypoint); /// - /// service.name - /// Name of the service data is collected from. - /// The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - /// In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - /// elasticsearch-metrics + /// threat.file.elf.header.object_version + /// "0x1" for original ELF files. + /// /// - public static string ServiceName = nameof(ServiceName); + public static string ThreatFileElfHeaderObjectVersion = nameof(ThreatFileElfHeaderObjectVersion); /// - /// service.node.name - /// Name of a service node. - /// This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. - /// In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. - /// instance-0000000016 + /// threat.file.elf.header.os_abi + /// Application Binary Interface (ABI) of the Linux OS. + /// /// - public static string ServiceNodeName = nameof(ServiceNodeName); + public static string ThreatFileElfHeaderOsAbi = nameof(ThreatFileElfHeaderOsAbi); /// - /// service.node.role - /// Deprecated for removal in next major version release. This field will be superseded by `node.roles`. - /// Role of a service node. - /// This allows for distinction between different running roles of the same service. - /// In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`. - /// In the case of Elasticsearch, the `service.node.role` could be `master` or `data`. - /// Other services could use this to distinguish between a `web` and `worker` role running as part of the service. - /// background_tasks + /// threat.file.elf.header.type + /// Header type of the ELF file. + /// /// - public static string ServiceNodeRole = nameof(ServiceNodeRole); + public static string ThreatFileElfHeaderType = nameof(ThreatFileElfHeaderType); /// - /// service.state - /// Current state of the service. + /// threat.file.elf.header.version + /// Version of the ELF header. /// /// - public static string ServiceState = nameof(ServiceState); + public static string ThreatFileElfHeaderVersion = nameof(ThreatFileElfHeaderVersion); /// - /// service.type - /// The type of the service data is collected from. - /// The type can be used to group and correlate logs and metrics from one service type. - /// Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - /// elasticsearch + /// threat.file.elf.import_hash + /// A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is an ELF implementation of the Windows PE imphash. + /// d41d8cd98f00b204e9800998ecf8427e /// - public static string ServiceType = nameof(ServiceType); + public static string ThreatFileElfImportHash = nameof(ThreatFileElfImportHash); /// - /// service.version - /// Version of the service the data was collected from. - /// This allows to look at a data set only for a specific version of a service. - /// 3.2.4 + /// threat.file.elf.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string ServiceVersion = nameof(ServiceVersion); + public static string ThreatFileElfImportsNamesEntropy = nameof(ThreatFileElfImportsNamesEntropy); /// - /// source.address - /// Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + /// threat.file.elf.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. /// /// - public static string SourceAddress = nameof(SourceAddress); + public static string ThreatFileElfImportsNamesVarEntropy = nameof(ThreatFileElfImportsNamesVarEntropy); /// - /// source.bytes - /// Bytes sent from the source to the destination. - /// 184 + /// threat.file.elf.telfhash + /// telfhash symbol hash for ELF file. + /// /// - public static string SourceBytes = nameof(SourceBytes); + public static string ThreatFileElfTelfhash = nameof(ThreatFileElfTelfhash); /// - /// source.domain - /// The domain name of the source system. - /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - /// foo.example.com + /// threat.file.macho.go_import_hash + /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string SourceDomain = nameof(SourceDomain); + public static string ThreatFileMachoGoImportHash = nameof(ThreatFileMachoGoImportHash); /// - /// source.ip - /// IP address of the source (IPv4 or IPv6). + /// threat.file.macho.go_imports + /// List of imported Go language element names and types. /// /// - public static string SourceIp = nameof(SourceIp); + public static string ThreatFileMachoGoImports = nameof(ThreatFileMachoGoImports); /// - /// source.mac - /// MAC address of the source. - /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - /// pattern: - /// 00-00-5E-00-53-23 + /// threat.file.macho.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// /// - public static string SourceMac = nameof(SourceMac); + public static string ThreatFileMachoGoImportsNamesEntropy = nameof(ThreatFileMachoGoImportsNamesEntropy); /// - /// source.nat.ip - /// Translated ip of source based NAT sessions (e.g. internal client to internet) - /// Typically connections traversing load balancers, firewalls, or routers. + /// threat.file.macho.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string SourceNatIp = nameof(SourceNatIp); + public static string ThreatFileMachoGoImportsNamesVarEntropy = nameof(ThreatFileMachoGoImportsNamesVarEntropy); /// - /// source.nat.port - /// Translated port of source based NAT sessions. (e.g. internal client to internet) - /// Typically used with load balancers, firewalls, or routers. + /// threat.file.macho.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. /// /// - public static string SourceNatPort = nameof(SourceNatPort); + public static string ThreatFileMachoGoStripped = nameof(ThreatFileMachoGoStripped); /// - /// source.packets - /// Packets sent from the source to the destination. - /// 12 + /// threat.file.macho.import_hash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for symhash. + /// d41d8cd98f00b204e9800998ecf8427e /// - public static string SourcePackets = nameof(SourcePackets); + public static string ThreatFileMachoImportHash = nameof(ThreatFileMachoImportHash); /// - /// source.port - /// Port of the source. + /// threat.file.macho.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. /// /// - public static string SourcePort = nameof(SourcePort); + public static string ThreatFileMachoImportsNamesEntropy = nameof(ThreatFileMachoImportsNamesEntropy); /// - /// source.registered_domain - /// The highest registered source domain, stripped of the subdomain. - /// For example, the registered domain for "foo.example.com" is "example.com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - /// example.com + /// threat.file.macho.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string SourceRegisteredDomain = nameof(SourceRegisteredDomain); + public static string ThreatFileMachoImportsNamesVarEntropy = nameof(ThreatFileMachoImportsNamesVarEntropy); /// - /// source.subdomain - /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - /// east + /// threat.file.macho.symhash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a Mach-O implementation of the Windows PE imphash + /// d3ccf195b62a9279c3c19af1080497ec /// - public static string SourceSubdomain = nameof(SourceSubdomain); + public static string ThreatFileMachoSymhash = nameof(ThreatFileMachoSymhash); /// - /// source.top_level_domain - /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - /// co.uk + /// threat.geo.city_name + /// City name. + /// Montreal /// - public static string SourceTopLevelDomain = nameof(SourceTopLevelDomain); + public static string ThreatGeoCityName = nameof(ThreatGeoCityName); /// - /// threat.feed.dashboard_id - /// The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. - /// 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f + /// threat.geo.continent_code + /// Two-letter code representing continent's name. + /// NA /// - public static string ThreatFeedDashboardId = nameof(ThreatFeedDashboardId); + public static string ThreatGeoContinentCode = nameof(ThreatGeoContinentCode); /// - /// threat.feed.description - /// Description of the threat feed in a UI friendly format. - /// Threat feed from the AlienVault Open Threat eXchange network. + /// threat.geo.continent_name + /// Name of the continent. + /// North America /// - public static string ThreatFeedDescription = nameof(ThreatFeedDescription); + public static string ThreatGeoContinentName = nameof(ThreatGeoContinentName); /// - /// threat.feed.name - /// The name of the threat feed in UI friendly format. - /// AlienVault OTX + /// threat.geo.country_iso_code + /// Country ISO code. + /// CA /// - public static string ThreatFeedName = nameof(ThreatFeedName); + public static string ThreatGeoCountryIsoCode = nameof(ThreatGeoCountryIsoCode); /// - /// threat.feed.reference - /// Reference information for the threat feed in a UI friendly format. - /// https://otx.alienvault.com + /// threat.geo.country_name + /// Country name. + /// Canada /// - public static string ThreatFeedReference = nameof(ThreatFeedReference); + public static string ThreatGeoCountryName = nameof(ThreatGeoCountryName); /// - /// threat.framework - /// Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - /// MITRE ATT&CK + /// threat.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc /// - public static string ThreatFramework = nameof(ThreatFramework); + public static string ThreatGeoName = nameof(ThreatGeoName); /// - /// threat.group.id - /// The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. - /// While not required, you can use a MITRE ATT&CK® group id. - /// G0037 + /// threat.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 /// - public static string ThreatGroupId = nameof(ThreatGroupId); + public static string ThreatGeoPostalCode = nameof(ThreatGeoPostalCode); /// - /// threat.group.name - /// The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. - /// While not required, you can use a MITRE ATT&CK® group name. - /// FIN6 + /// threat.geo.region_iso_code + /// Region ISO code. + /// CA-QC /// - public static string ThreatGroupName = nameof(ThreatGroupName); + public static string ThreatGeoRegionIsoCode = nameof(ThreatGeoRegionIsoCode); /// - /// threat.group.reference - /// The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. - /// While not required, you can use a MITRE ATT&CK® group reference URL. - /// https://attack.mitre.org/groups/G0037/ + /// threat.geo.region_name + /// Region name. + /// Quebec /// - public static string ThreatGroupReference = nameof(ThreatGroupReference); + public static string ThreatGeoRegionName = nameof(ThreatGeoRegionName); /// - /// threat.indicator.confidence - /// Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - ///
Expected Values: - /// - /// Not Specified - /// None - /// Low - /// Medium - /// High - /// - /// Medium + /// threat.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires /// - public static string ThreatIndicatorConfidence = nameof(ThreatIndicatorConfidence); + public static string ThreatGeoTimezone = nameof(ThreatGeoTimezone); /// - /// threat.indicator.description - /// Describes the type of action conducted by the threat. - /// IP x.x.x.x was observed delivering the Angler EK. + /// threat.registry.data.bytes + /// Original bytes written with base64 encoding. + /// For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + /// ZQBuAC0AVQBTAAAAZQBuAAAAAAA= /// - public static string ThreatIndicatorDescription = nameof(ThreatIndicatorDescription); + public static string ThreatRegistryDataBytes = nameof(ThreatRegistryDataBytes); /// - /// threat.indicator.email.address - /// Identifies a threat indicator as an email address (irrespective of direction). - /// phish@example.com + /// threat.registry.data.type + /// Standard registry type for encoding contents + /// REG_SZ /// - public static string ThreatIndicatorEmailAddress = nameof(ThreatIndicatorEmailAddress); + public static string ThreatRegistryDataType = nameof(ThreatRegistryDataType); /// - /// threat.indicator.first_seen - /// The date and time when intelligence source first reported sighting this indicator. - /// 11/5/2020 5:25:47 PM + /// threat.registry.hive + /// Abbreviated name for the hive. + /// HKLM /// - public static string ThreatIndicatorFirstSeen = nameof(ThreatIndicatorFirstSeen); + public static string ThreatRegistryHive = nameof(ThreatRegistryHive); /// - /// threat.indicator.ip - /// Identifies a threat indicator as an IP address (irrespective of direction). - /// 1.2.3.4 + /// threat.registry.key + /// Hive-relative path of keys. + /// SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe /// - public static string ThreatIndicatorIp = nameof(ThreatIndicatorIp); + public static string ThreatRegistryKey = nameof(ThreatRegistryKey); /// - /// threat.indicator.last_seen - /// The date and time when intelligence source last reported sighting this indicator. - /// 11/5/2020 5:25:47 PM + /// threat.registry.path + /// Full path, including hive, key and value + /// HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger /// - public static string ThreatIndicatorLastSeen = nameof(ThreatIndicatorLastSeen); + public static string ThreatRegistryPath = nameof(ThreatRegistryPath); /// - /// threat.indicator.marking.tlp - /// Traffic Light Protocol sharing markings. - ///
Expected Values: - /// - /// WHITE - /// CLEAR - /// GREEN - /// AMBER - /// AMBER+STRICT - /// RED - /// - /// CLEAR + /// threat.registry.value + /// Name of the value written. + /// Debugger /// - public static string ThreatIndicatorMarkingTlp = nameof(ThreatIndicatorMarkingTlp); + public static string ThreatRegistryValue = nameof(ThreatRegistryValue); /// - /// threat.indicator.marking.tlp_version - /// Traffic Light Protocol version. - /// 2.0 + /// threat.url.domain + /// Domain of the url, such as "www.elastic.co". + /// In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + /// If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + /// www.elastic.co /// - public static string ThreatIndicatorMarkingTlpVersion = nameof(ThreatIndicatorMarkingTlpVersion); + public static string ThreatUrlDomain = nameof(ThreatUrlDomain); /// - /// threat.indicator.modified_at - /// The date and time when intelligence source last modified information for this indicator. - /// 11/5/2020 5:25:47 PM + /// threat.url.extension + /// The field contains the file extension from the original request url, excluding the leading dot. + /// The file extension is only set if it exists, as not every url has a file extension. + /// The leading period must not be included. For example, the value must be "png", not ".png". + /// Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + /// png /// - public static string ThreatIndicatorModifiedAt = nameof(ThreatIndicatorModifiedAt); + public static string ThreatUrlExtension = nameof(ThreatUrlExtension); /// - /// threat.indicator.name - /// The display name indicator in an UI friendly format - /// URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. - /// 5.2.75.227 + /// threat.url.fragment + /// Portion of the url after the `#`, such as "top". + /// The `#` is not part of the fragment. + /// /// - public static string ThreatIndicatorName = nameof(ThreatIndicatorName); + public static string ThreatUrlFragment = nameof(ThreatUrlFragment); /// - /// threat.indicator.port - /// Identifies a threat indicator as a port number (irrespective of direction). - /// 443 + /// threat.url.full + /// If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + /// https://www.elastic.co:443/search?q=elasticsearch#top /// - public static string ThreatIndicatorPort = nameof(ThreatIndicatorPort); + public static string ThreatUrlFull = nameof(ThreatUrlFull); /// - /// threat.indicator.provider - /// The name of the indicator's provider. - /// lrz_urlhaus + /// threat.url.original + /// Unmodified original url as seen in the event source. + /// Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + /// This field is meant to represent the URL as it was observed, complete or not. + /// https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch /// - public static string ThreatIndicatorProvider = nameof(ThreatIndicatorProvider); + public static string ThreatUrlOriginal = nameof(ThreatUrlOriginal); /// - /// threat.indicator.reference - /// Reference URL linking to additional information about this indicator. - /// https://system.example.com/indicator/0001234 + /// threat.url.password + /// Password of the request. + /// /// - public static string ThreatIndicatorReference = nameof(ThreatIndicatorReference); + public static string ThreatUrlPassword = nameof(ThreatUrlPassword); /// - /// threat.indicator.scanner_stats - /// Count of AV/EDR vendors that successfully detected malicious file or URL. - /// 4 + /// threat.url.path + /// Path of the request, such as "/search". + /// /// - public static string ThreatIndicatorScannerStats = nameof(ThreatIndicatorScannerStats); + public static string ThreatUrlPath = nameof(ThreatUrlPath); /// - /// threat.indicator.sightings - /// Number of times this indicator was observed conducting threat activity. - /// 20 + /// threat.url.port + /// Port of the request, such as 443. + /// 443 /// - public static string ThreatIndicatorSightings = nameof(ThreatIndicatorSightings); + public static string ThreatUrlPort = nameof(ThreatUrlPort); /// - /// threat.indicator.type - /// Type of indicator as represented by Cyber Observable in STIX 2.0. - ///
Expected Values: - /// - /// autonomous-system - /// artifact - /// directory - /// domain-name - /// email-addr - /// file - /// ipv4-addr - /// ipv6-addr - /// mac-addr - /// mutex - /// port - /// process - /// software - /// url - /// user-account - /// windows-registry-key - /// x509-certificate - /// - /// ipv4-addr + /// threat.url.query + /// The query field describes the query string of the request, such as "q=elasticsearch". + /// The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + /// /// - public static string ThreatIndicatorType = nameof(ThreatIndicatorType); + public static string ThreatUrlQuery = nameof(ThreatUrlQuery); /// - /// threat.software.id - /// The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - /// While not required, you can use a MITRE ATT&CK® software id. - /// S0552 + /// threat.url.registered_domain + /// The highest registered url domain, stripped of the subdomain. + /// For example, the registered domain for "foo.example.com" is "example.com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + /// example.com /// - public static string ThreatSoftwareId = nameof(ThreatSoftwareId); + public static string ThreatUrlRegisteredDomain = nameof(ThreatUrlRegisteredDomain); /// - /// threat.software.name - /// The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - /// While not required, you can use a MITRE ATT&CK® software name. - /// AdFind + /// threat.url.scheme + /// Scheme of the request, such as "https". + /// Note: The `:` is not part of the scheme. + /// https /// - public static string ThreatSoftwareName = nameof(ThreatSoftwareName); + public static string ThreatUrlScheme = nameof(ThreatUrlScheme); /// - /// threat.software.reference - /// The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - /// While not required, you can use a MITRE ATT&CK® software reference URL. - /// https://attack.mitre.org/software/S0552/ + /// threat.url.subdomain + /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + /// east /// - public static string ThreatSoftwareReference = nameof(ThreatSoftwareReference); + public static string ThreatUrlSubdomain = nameof(ThreatUrlSubdomain); /// - /// threat.software.type - /// The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - /// While not required, you can use a MITRE ATT&CK® software type. - ///
Expected Values: - /// - /// Malware - /// Tool - /// - /// Tool + /// threat.url.top_level_domain + /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + /// co.uk /// - public static string ThreatSoftwareType = nameof(ThreatSoftwareType); + public static string ThreatUrlTopLevelDomain = nameof(ThreatUrlTopLevelDomain); + /// + /// threat.url.username + /// Username of the request. + /// + /// + public static string ThreatUrlUsername = nameof(ThreatUrlUsername); /// /// tls.cipher /// String indicating the cipher used during the current connection. @@ -2962,6 +7237,73 @@ public static class LogTemplateProperties /// public static string TlsVersionProtocol = nameof(TlsVersionProtocol); /// + /// tls.x509.issuer.distinguished_name + /// Distinguished name (DN) of issuing certificate authority. + /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + /// + public static string TlsX509IssuerDistinguishedName = nameof(TlsX509IssuerDistinguishedName); + /// + /// tls.x509.not_after + /// Time at which the certificate is no longer considered valid. + /// 7/16/2020 3:15:39 AM + /// + public static string TlsX509NotAfter = nameof(TlsX509NotAfter); + /// + /// tls.x509.not_before + /// Time at which the certificate is first considered valid. + /// 8/16/2019 1:40:25 AM + /// + public static string TlsX509NotBefore = nameof(TlsX509NotBefore); + /// + /// tls.x509.public_key_algorithm + /// Algorithm used to generate the public key. + /// RSA + /// + public static string TlsX509PublicKeyAlgorithm = nameof(TlsX509PublicKeyAlgorithm); + /// + /// tls.x509.public_key_curve + /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. + /// nistp521 + /// + public static string TlsX509PublicKeyCurve = nameof(TlsX509PublicKeyCurve); + /// + /// tls.x509.public_key_exponent + /// Exponent used to derive the public key. This is algorithm specific. + ///
Stored but not available for search in Elasticsearch by default + /// 65537 + /// + public static string TlsX509PublicKeyExponent = nameof(TlsX509PublicKeyExponent); + /// + /// tls.x509.public_key_size + /// The size of the public key space in bits. + /// 2048 + /// + public static string TlsX509PublicKeySize = nameof(TlsX509PublicKeySize); + /// + /// tls.x509.serial_number + /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + /// 55FBB9C7DEBF09809D12CCAA + /// + public static string TlsX509SerialNumber = nameof(TlsX509SerialNumber); + /// + /// tls.x509.signature_algorithm + /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + /// SHA256-RSA + /// + public static string TlsX509SignatureAlgorithm = nameof(TlsX509SignatureAlgorithm); + /// + /// tls.x509.subject.distinguished_name + /// Distinguished name (DN) of the certificate subject entity. + /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + /// + public static string TlsX509SubjectDistinguishedName = nameof(TlsX509SubjectDistinguishedName); + /// + /// tls.x509.version_number + /// Version of x509 format. + /// 3 + /// + public static string TlsX509VersionNumber = nameof(TlsX509VersionNumber); + /// /// url.domain /// Domain of the url, such as "www.elastic.co". /// In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. @@ -3098,6 +7440,99 @@ public static class LogTemplateProperties /// public static string UserName = nameof(UserName); /// + /// user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string UserGroupDomain = nameof(UserGroupDomain); + /// + /// user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string UserGroupId = nameof(UserGroupId); + /// + /// user.group.name + /// Name of the group. + /// + /// + public static string UserGroupName = nameof(UserGroupName); + /// + /// user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string UserRiskCalculatedLevel = nameof(UserRiskCalculatedLevel); + /// + /// user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string UserRiskCalculatedScore = nameof(UserRiskCalculatedScore); + /// + /// user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string UserRiskCalculatedScoreNorm = nameof(UserRiskCalculatedScoreNorm); + /// + /// user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string UserRiskStaticLevel = nameof(UserRiskStaticLevel); + /// + /// user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string UserRiskStaticScore = nameof(UserRiskStaticScore); + /// + /// user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string UserRiskStaticScoreNorm = nameof(UserRiskStaticScoreNorm); + /// + /// user.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string UserUserDomain = nameof(UserUserDomain); + /// + /// user.user.email + /// User email address. + /// + /// + public static string UserUserEmail = nameof(UserUserEmail); + /// + /// user.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string UserUserFullName = nameof(UserUserFullName); + /// + /// user.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string UserUserHash = nameof(UserUserHash); + /// + /// user.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string UserUserId = nameof(UserUserId); + /// + /// user.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string UserUserName = nameof(UserUserName); + /// /// user_agent.device.name /// Name of the device. /// iPhone @@ -3122,6 +7557,58 @@ public static class LogTemplateProperties /// public static string UserAgentVersion = nameof(UserAgentVersion); /// + /// user_agent.os.family + /// OS family (such as redhat, debian, freebsd, windows). + /// debian + /// + public static string UserAgentOsFamily = nameof(UserAgentOsFamily); + /// + /// user_agent.os.full + /// Operating system name, including the version or code name. + /// Mac OS Mojave + /// + public static string UserAgentOsFull = nameof(UserAgentOsFull); + /// + /// user_agent.os.kernel + /// Operating system kernel version as a raw string. + /// 4.4.0-112-generic + /// + public static string UserAgentOsKernel = nameof(UserAgentOsKernel); + /// + /// user_agent.os.name + /// Operating system name, without the version. + /// Mac OS X + /// + public static string UserAgentOsName = nameof(UserAgentOsName); + /// + /// user_agent.os.platform + /// Operating system platform (such centos, ubuntu, windows). + /// darwin + /// + public static string UserAgentOsPlatform = nameof(UserAgentOsPlatform); + /// + /// user_agent.os.type + /// Use the `os.type` field to categorize the operating system into one of the broad commercial families. + /// If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + ///
Expected Values: + /// + /// linux + /// macos + /// unix + /// windows + /// ios + /// android + /// + /// macos + /// + public static string UserAgentOsType = nameof(UserAgentOsType); + /// + /// user_agent.os.version + /// Operating system version as a raw string. + /// 10.14.1 + /// + public static string UserAgentOsVersion = nameof(UserAgentOsVersion); + /// /// vlan.id /// VLAN ID as reported by the observer. /// 10 @@ -3305,6 +7792,39 @@ public static class LogTemplateProperties "client.registered_domain", ClientRegisteredDomain, "client.subdomain", ClientSubdomain, "client.top_level_domain", ClientTopLevelDomain, + "client.as.number", ClientAsNumber, + "client.as.organization.name", ClientAsOrganizationName, + "client.geo.city_name", ClientGeoCityName, + "client.geo.continent_code", ClientGeoContinentCode, + "client.geo.continent_name", ClientGeoContinentName, + "client.geo.country_iso_code", ClientGeoCountryIsoCode, + "client.geo.country_name", ClientGeoCountryName, + "client.geo.name", ClientGeoName, + "client.geo.postal_code", ClientGeoPostalCode, + "client.geo.region_iso_code", ClientGeoRegionIsoCode, + "client.geo.region_name", ClientGeoRegionName, + "client.geo.timezone", ClientGeoTimezone, + "client.user.domain", ClientUserDomain, + "client.user.email", ClientUserEmail, + "client.user.full_name", ClientUserFullName, + "client.user.hash", ClientUserHash, + "client.user.id", ClientUserId, + "client.user.name", ClientUserName, + "client.user.group.domain", ClientUserGroupDomain, + "client.user.group.id", ClientUserGroupId, + "client.user.group.name", ClientUserGroupName, + "client.user.risk.calculated_level", ClientUserRiskCalculatedLevel, + "client.user.risk.calculated_score", ClientUserRiskCalculatedScore, + "client.user.risk.calculated_score_norm", ClientUserRiskCalculatedScoreNorm, + "client.user.risk.static_level", ClientUserRiskStaticLevel, + "client.user.risk.static_score", ClientUserRiskStaticScore, + "client.user.risk.static_score_norm", ClientUserRiskStaticScoreNorm, + "client.user.user.domain", ClientUserUserDomain, + "client.user.user.email", ClientUserUserEmail, + "client.user.user.full_name", ClientUserUserFullName, + "client.user.user.hash", ClientUserUserHash, + "client.user.user.id", ClientUserUserId, + "client.user.user.name", ClientUserUserName, "cloud.account.id", CloudAccountId, "cloud.account.name", CloudAccountName, "cloud.availability_zone", CloudAvailabilityZone, @@ -3316,6 +7836,17 @@ public static class LogTemplateProperties "cloud.provider", CloudProvider, "cloud.region", CloudRegion, "cloud.service.name", CloudServiceName, + "cloud.cloud.account.id", CloudCloudAccountId, + "cloud.cloud.account.name", CloudCloudAccountName, + "cloud.cloud.availability_zone", CloudCloudAvailabilityZone, + "cloud.cloud.instance.id", CloudCloudInstanceId, + "cloud.cloud.instance.name", CloudCloudInstanceName, + "cloud.cloud.machine.type", CloudCloudMachineType, + "cloud.cloud.project.id", CloudCloudProjectId, + "cloud.cloud.project.name", CloudCloudProjectName, + "cloud.cloud.provider", CloudCloudProvider, + "cloud.cloud.region", CloudCloudRegion, + "cloud.cloud.service.name", CloudCloudServiceName, "code_signature.digest_algorithm", CodeSignatureDigestAlgorithm, "code_signature.exists", CodeSignatureExists, "code_signature.signing_id", CodeSignatureSigningId, @@ -3351,12 +7882,77 @@ public static class LogTemplateProperties "destination.registered_domain", DestinationRegisteredDomain, "destination.subdomain", DestinationSubdomain, "destination.top_level_domain", DestinationTopLevelDomain, + "destination.as.number", DestinationAsNumber, + "destination.as.organization.name", DestinationAsOrganizationName, + "destination.geo.city_name", DestinationGeoCityName, + "destination.geo.continent_code", DestinationGeoContinentCode, + "destination.geo.continent_name", DestinationGeoContinentName, + "destination.geo.country_iso_code", DestinationGeoCountryIsoCode, + "destination.geo.country_name", DestinationGeoCountryName, + "destination.geo.name", DestinationGeoName, + "destination.geo.postal_code", DestinationGeoPostalCode, + "destination.geo.region_iso_code", DestinationGeoRegionIsoCode, + "destination.geo.region_name", DestinationGeoRegionName, + "destination.geo.timezone", DestinationGeoTimezone, + "destination.user.domain", DestinationUserDomain, + "destination.user.email", DestinationUserEmail, + "destination.user.full_name", DestinationUserFullName, + "destination.user.hash", DestinationUserHash, + "destination.user.id", DestinationUserId, + "destination.user.name", DestinationUserName, + "destination.user.group.domain", DestinationUserGroupDomain, + "destination.user.group.id", DestinationUserGroupId, + "destination.user.group.name", DestinationUserGroupName, + "destination.user.risk.calculated_level", DestinationUserRiskCalculatedLevel, + "destination.user.risk.calculated_score", DestinationUserRiskCalculatedScore, + "destination.user.risk.calculated_score_norm", DestinationUserRiskCalculatedScoreNorm, + "destination.user.risk.static_level", DestinationUserRiskStaticLevel, + "destination.user.risk.static_score", DestinationUserRiskStaticScore, + "destination.user.risk.static_score_norm", DestinationUserRiskStaticScoreNorm, + "destination.user.user.domain", DestinationUserUserDomain, + "destination.user.user.email", DestinationUserUserEmail, + "destination.user.user.full_name", DestinationUserUserFullName, + "destination.user.user.hash", DestinationUserUserHash, + "destination.user.user.id", DestinationUserUserId, + "destination.user.user.name", DestinationUserUserName, "device.id", DeviceId, "device.manufacturer", DeviceManufacturer, "device.model.identifier", DeviceModelIdentifier, "device.model.name", DeviceModelName, "dll.name", DllName, "dll.path", DllPath, + "dll.hash.md5", DllHashMd5, + "dll.hash.sha1", DllHashSha1, + "dll.hash.sha256", DllHashSha256, + "dll.hash.sha384", DllHashSha384, + "dll.hash.sha512", DllHashSha512, + "dll.hash.ssdeep", DllHashSsdeep, + "dll.hash.tlsh", DllHashTlsh, + "dll.pe.architecture", DllPeArchitecture, + "dll.pe.company", DllPeCompany, + "dll.pe.description", DllPeDescription, + "dll.pe.file_version", DllPeFileVersion, + "dll.pe.go_import_hash", DllPeGoImportHash, + "dll.pe.go_imports", DllPeGoImports, + "dll.pe.go_imports_names_entropy", DllPeGoImportsNamesEntropy, + "dll.pe.go_imports_names_var_entropy", DllPeGoImportsNamesVarEntropy, + "dll.pe.go_stripped", DllPeGoStripped, + "dll.pe.imphash", DllPeImphash, + "dll.pe.import_hash", DllPeImportHash, + "dll.pe.imports_names_entropy", DllPeImportsNamesEntropy, + "dll.pe.imports_names_var_entropy", DllPeImportsNamesVarEntropy, + "dll.pe.original_file_name", DllPeOriginalFileName, + "dll.pe.pehash", DllPePehash, + "dll.pe.product", DllPeProduct, + "dll.code_signature.digest_algorithm", DllCodeSignatureDigestAlgorithm, + "dll.code_signature.exists", DllCodeSignatureExists, + "dll.code_signature.signing_id", DllCodeSignatureSigningId, + "dll.code_signature.status", DllCodeSignatureStatus, + "dll.code_signature.subject_name", DllCodeSignatureSubjectName, + "dll.code_signature.team_id", DllCodeSignatureTeamId, + "dll.code_signature.timestamp", DllCodeSignatureTimestamp, + "dll.code_signature.trusted", DllCodeSignatureTrusted, + "dll.code_signature.valid", DllCodeSignatureValid, "dns.id", DnsId, "dns.op_code", DnsOpCode, "dns.question.class", DnsQuestionClass, @@ -3455,6 +8051,79 @@ public static class LogTemplateProperties "file.target_path", FileTargetPath, "file.type", FileType, "file.uid", FileUid, + "file.hash.md5", FileHashMd5, + "file.hash.sha1", FileHashSha1, + "file.hash.sha256", FileHashSha256, + "file.hash.sha384", FileHashSha384, + "file.hash.sha512", FileHashSha512, + "file.hash.ssdeep", FileHashSsdeep, + "file.hash.tlsh", FileHashTlsh, + "file.pe.architecture", FilePeArchitecture, + "file.pe.company", FilePeCompany, + "file.pe.description", FilePeDescription, + "file.pe.file_version", FilePeFileVersion, + "file.pe.go_import_hash", FilePeGoImportHash, + "file.pe.go_imports", FilePeGoImports, + "file.pe.go_imports_names_entropy", FilePeGoImportsNamesEntropy, + "file.pe.go_imports_names_var_entropy", FilePeGoImportsNamesVarEntropy, + "file.pe.go_stripped", FilePeGoStripped, + "file.pe.imphash", FilePeImphash, + "file.pe.import_hash", FilePeImportHash, + "file.pe.imports_names_entropy", FilePeImportsNamesEntropy, + "file.pe.imports_names_var_entropy", FilePeImportsNamesVarEntropy, + "file.pe.original_file_name", FilePeOriginalFileName, + "file.pe.pehash", FilePePehash, + "file.pe.product", FilePeProduct, + "file.x509.issuer.distinguished_name", FileX509IssuerDistinguishedName, + "file.x509.not_after", FileX509NotAfter, + "file.x509.not_before", FileX509NotBefore, + "file.x509.public_key_algorithm", FileX509PublicKeyAlgorithm, + "file.x509.public_key_curve", FileX509PublicKeyCurve, + "file.x509.public_key_exponent", FileX509PublicKeyExponent, + "file.x509.public_key_size", FileX509PublicKeySize, + "file.x509.serial_number", FileX509SerialNumber, + "file.x509.signature_algorithm", FileX509SignatureAlgorithm, + "file.x509.subject.distinguished_name", FileX509SubjectDistinguishedName, + "file.x509.version_number", FileX509VersionNumber, + "file.code_signature.digest_algorithm", FileCodeSignatureDigestAlgorithm, + "file.code_signature.exists", FileCodeSignatureExists, + "file.code_signature.signing_id", FileCodeSignatureSigningId, + "file.code_signature.status", FileCodeSignatureStatus, + "file.code_signature.subject_name", FileCodeSignatureSubjectName, + "file.code_signature.team_id", FileCodeSignatureTeamId, + "file.code_signature.timestamp", FileCodeSignatureTimestamp, + "file.code_signature.trusted", FileCodeSignatureTrusted, + "file.code_signature.valid", FileCodeSignatureValid, + "file.elf.architecture", FileElfArchitecture, + "file.elf.byte_order", FileElfByteOrder, + "file.elf.cpu_type", FileElfCpuType, + "file.elf.creation_date", FileElfCreationDate, + "file.elf.go_import_hash", FileElfGoImportHash, + "file.elf.go_imports", FileElfGoImports, + "file.elf.go_imports_names_entropy", FileElfGoImportsNamesEntropy, + "file.elf.go_imports_names_var_entropy", FileElfGoImportsNamesVarEntropy, + "file.elf.go_stripped", FileElfGoStripped, + "file.elf.header.abi_version", FileElfHeaderAbiVersion, + "file.elf.header.class", FileElfHeaderClass, + "file.elf.header.data", FileElfHeaderData, + "file.elf.header.entrypoint", FileElfHeaderEntrypoint, + "file.elf.header.object_version", FileElfHeaderObjectVersion, + "file.elf.header.os_abi", FileElfHeaderOsAbi, + "file.elf.header.type", FileElfHeaderType, + "file.elf.header.version", FileElfHeaderVersion, + "file.elf.import_hash", FileElfImportHash, + "file.elf.imports_names_entropy", FileElfImportsNamesEntropy, + "file.elf.imports_names_var_entropy", FileElfImportsNamesVarEntropy, + "file.elf.telfhash", FileElfTelfhash, + "file.macho.go_import_hash", FileMachoGoImportHash, + "file.macho.go_imports", FileMachoGoImports, + "file.macho.go_imports_names_entropy", FileMachoGoImportsNamesEntropy, + "file.macho.go_imports_names_var_entropy", FileMachoGoImportsNamesVarEntropy, + "file.macho.go_stripped", FileMachoGoStripped, + "file.macho.import_hash", FileMachoImportHash, + "file.macho.imports_names_entropy", FileMachoImportsNamesEntropy, + "file.macho.imports_names_var_entropy", FileMachoImportsNamesVarEntropy, + "file.macho.symhash", FileMachoSymhash, "geo.city_name", GeoCityName, "geo.continent_code", GeoContinentCode, "geo.continent_name", GeoContinentName, @@ -3491,6 +8160,29 @@ public static class LogTemplateProperties "host.pid_ns_ino", HostPidNsIno, "host.type", HostType, "host.uptime", HostUptime, + "host.geo.city_name", HostGeoCityName, + "host.geo.continent_code", HostGeoContinentCode, + "host.geo.continent_name", HostGeoContinentName, + "host.geo.country_iso_code", HostGeoCountryIsoCode, + "host.geo.country_name", HostGeoCountryName, + "host.geo.name", HostGeoName, + "host.geo.postal_code", HostGeoPostalCode, + "host.geo.region_iso_code", HostGeoRegionIsoCode, + "host.geo.region_name", HostGeoRegionName, + "host.geo.timezone", HostGeoTimezone, + "host.os.family", HostOsFamily, + "host.os.full", HostOsFull, + "host.os.kernel", HostOsKernel, + "host.os.name", HostOsName, + "host.os.platform", HostOsPlatform, + "host.os.type", HostOsType, + "host.os.version", HostOsVersion, + "host.risk.calculated_level", HostRiskCalculatedLevel, + "host.risk.calculated_score", HostRiskCalculatedScore, + "host.risk.calculated_score_norm", HostRiskCalculatedScoreNorm, + "host.risk.static_level", HostRiskStaticLevel, + "host.risk.static_score", HostRiskStaticScore, + "host.risk.static_score_norm", HostRiskStaticScoreNorm, "http.request.body.bytes", HttpRequestBodyBytes, "http.request.body.content", HttpRequestBodyContent, "http.request.bytes", HttpRequestBytes, @@ -3533,6 +8225,8 @@ public static class LogTemplateProperties "network.protocol", NetworkProtocol, "network.transport", NetworkTransport, "network.type", NetworkType, + "network.vlan.id", NetworkVlanId, + "network.vlan.name", NetworkVlanName, "observer.hostname", ObserverHostname, "observer.name", ObserverName, "observer.product", ObserverProduct, @@ -3540,6 +8234,23 @@ public static class LogTemplateProperties "observer.type", ObserverType, "observer.vendor", ObserverVendor, "observer.version", ObserverVersion, + "observer.geo.city_name", ObserverGeoCityName, + "observer.geo.continent_code", ObserverGeoContinentCode, + "observer.geo.continent_name", ObserverGeoContinentName, + "observer.geo.country_iso_code", ObserverGeoCountryIsoCode, + "observer.geo.country_name", ObserverGeoCountryName, + "observer.geo.name", ObserverGeoName, + "observer.geo.postal_code", ObserverGeoPostalCode, + "observer.geo.region_iso_code", ObserverGeoRegionIsoCode, + "observer.geo.region_name", ObserverGeoRegionName, + "observer.geo.timezone", ObserverGeoTimezone, + "observer.os.family", ObserverOsFamily, + "observer.os.full", ObserverOsFull, + "observer.os.kernel", ObserverOsKernel, + "observer.os.name", ObserverOsName, + "observer.os.platform", ObserverOsPlatform, + "observer.os.type", ObserverOsType, + "observer.os.version", ObserverOsVersion, "orchestrator.api_version", OrchestratorApiVersion, "orchestrator.cluster.id", OrchestratorClusterId, "orchestrator.cluster.name", OrchestratorClusterName, @@ -3607,6 +8318,239 @@ public static class LogTemplateProperties "process.uptime", ProcessUptime, "process.vpid", ProcessVpid, "process.working_directory", ProcessWorkingDirectory, + "process.group.domain", ProcessGroupDomain, + "process.group.id", ProcessGroupId, + "process.group.name", ProcessGroupName, + "process.hash.md5", ProcessHashMd5, + "process.hash.sha1", ProcessHashSha1, + "process.hash.sha256", ProcessHashSha256, + "process.hash.sha384", ProcessHashSha384, + "process.hash.sha512", ProcessHashSha512, + "process.hash.ssdeep", ProcessHashSsdeep, + "process.hash.tlsh", ProcessHashTlsh, + "process.pe.architecture", ProcessPeArchitecture, + "process.pe.company", ProcessPeCompany, + "process.pe.description", ProcessPeDescription, + "process.pe.file_version", ProcessPeFileVersion, + "process.pe.go_import_hash", ProcessPeGoImportHash, + "process.pe.go_imports", ProcessPeGoImports, + "process.pe.go_imports_names_entropy", ProcessPeGoImportsNamesEntropy, + "process.pe.go_imports_names_var_entropy", ProcessPeGoImportsNamesVarEntropy, + "process.pe.go_stripped", ProcessPeGoStripped, + "process.pe.imphash", ProcessPeImphash, + "process.pe.import_hash", ProcessPeImportHash, + "process.pe.imports_names_entropy", ProcessPeImportsNamesEntropy, + "process.pe.imports_names_var_entropy", ProcessPeImportsNamesVarEntropy, + "process.pe.original_file_name", ProcessPeOriginalFileName, + "process.pe.pehash", ProcessPePehash, + "process.pe.product", ProcessPeProduct, + "process.code_signature.digest_algorithm", ProcessCodeSignatureDigestAlgorithm, + "process.code_signature.exists", ProcessCodeSignatureExists, + "process.code_signature.signing_id", ProcessCodeSignatureSigningId, + "process.code_signature.status", ProcessCodeSignatureStatus, + "process.code_signature.subject_name", ProcessCodeSignatureSubjectName, + "process.code_signature.team_id", ProcessCodeSignatureTeamId, + "process.code_signature.timestamp", ProcessCodeSignatureTimestamp, + "process.code_signature.trusted", ProcessCodeSignatureTrusted, + "process.code_signature.valid", ProcessCodeSignatureValid, + "process.elf.architecture", ProcessElfArchitecture, + "process.elf.byte_order", ProcessElfByteOrder, + "process.elf.cpu_type", ProcessElfCpuType, + "process.elf.creation_date", ProcessElfCreationDate, + "process.elf.go_import_hash", ProcessElfGoImportHash, + "process.elf.go_imports", ProcessElfGoImports, + "process.elf.go_imports_names_entropy", ProcessElfGoImportsNamesEntropy, + "process.elf.go_imports_names_var_entropy", ProcessElfGoImportsNamesVarEntropy, + "process.elf.go_stripped", ProcessElfGoStripped, + "process.elf.header.abi_version", ProcessElfHeaderAbiVersion, + "process.elf.header.class", ProcessElfHeaderClass, + "process.elf.header.data", ProcessElfHeaderData, + "process.elf.header.entrypoint", ProcessElfHeaderEntrypoint, + "process.elf.header.object_version", ProcessElfHeaderObjectVersion, + "process.elf.header.os_abi", ProcessElfHeaderOsAbi, + "process.elf.header.type", ProcessElfHeaderType, + "process.elf.header.version", ProcessElfHeaderVersion, + "process.elf.import_hash", ProcessElfImportHash, + "process.elf.imports_names_entropy", ProcessElfImportsNamesEntropy, + "process.elf.imports_names_var_entropy", ProcessElfImportsNamesVarEntropy, + "process.elf.telfhash", ProcessElfTelfhash, + "process.macho.go_import_hash", ProcessMachoGoImportHash, + "process.macho.go_imports", ProcessMachoGoImports, + "process.macho.go_imports_names_entropy", ProcessMachoGoImportsNamesEntropy, + "process.macho.go_imports_names_var_entropy", ProcessMachoGoImportsNamesVarEntropy, + "process.macho.go_stripped", ProcessMachoGoStripped, + "process.macho.import_hash", ProcessMachoImportHash, + "process.macho.imports_names_entropy", ProcessMachoImportsNamesEntropy, + "process.macho.imports_names_var_entropy", ProcessMachoImportsNamesVarEntropy, + "process.macho.symhash", ProcessMachoSymhash, + "process.source.address", ProcessSourceAddress, + "process.source.bytes", ProcessSourceBytes, + "process.source.domain", ProcessSourceDomain, + "process.source.ip", ProcessSourceIp, + "process.source.mac", ProcessSourceMac, + "process.source.nat.ip", ProcessSourceNatIp, + "process.source.nat.port", ProcessSourceNatPort, + "process.source.packets", ProcessSourcePackets, + "process.source.port", ProcessSourcePort, + "process.source.registered_domain", ProcessSourceRegisteredDomain, + "process.source.subdomain", ProcessSourceSubdomain, + "process.source.top_level_domain", ProcessSourceTopLevelDomain, + "process.source.as.number", ProcessSourceAsNumber, + "process.source.as.organization.name", ProcessSourceAsOrganizationName, + "process.source.geo.city_name", ProcessSourceGeoCityName, + "process.source.geo.continent_code", ProcessSourceGeoContinentCode, + "process.source.geo.continent_name", ProcessSourceGeoContinentName, + "process.source.geo.country_iso_code", ProcessSourceGeoCountryIsoCode, + "process.source.geo.country_name", ProcessSourceGeoCountryName, + "process.source.geo.name", ProcessSourceGeoName, + "process.source.geo.postal_code", ProcessSourceGeoPostalCode, + "process.source.geo.region_iso_code", ProcessSourceGeoRegionIsoCode, + "process.source.geo.region_name", ProcessSourceGeoRegionName, + "process.source.geo.timezone", ProcessSourceGeoTimezone, + "process.source.user.domain", ProcessSourceUserDomain, + "process.source.user.email", ProcessSourceUserEmail, + "process.source.user.full_name", ProcessSourceUserFullName, + "process.source.user.hash", ProcessSourceUserHash, + "process.source.user.id", ProcessSourceUserId, + "process.source.user.name", ProcessSourceUserName, + "process.source.user.group.domain", ProcessSourceUserGroupDomain, + "process.source.user.group.id", ProcessSourceUserGroupId, + "process.source.user.group.name", ProcessSourceUserGroupName, + "process.source.user.risk.calculated_level", ProcessSourceUserRiskCalculatedLevel, + "process.source.user.risk.calculated_score", ProcessSourceUserRiskCalculatedScore, + "process.source.user.risk.calculated_score_norm", ProcessSourceUserRiskCalculatedScoreNorm, + "process.source.user.risk.static_level", ProcessSourceUserRiskStaticLevel, + "process.source.user.risk.static_score", ProcessSourceUserRiskStaticScore, + "process.source.user.risk.static_score_norm", ProcessSourceUserRiskStaticScoreNorm, + "process.source.user.user.domain", ProcessSourceUserUserDomain, + "process.source.user.user.email", ProcessSourceUserUserEmail, + "process.source.user.user.full_name", ProcessSourceUserUserFullName, + "process.source.user.user.hash", ProcessSourceUserUserHash, + "process.source.user.user.id", ProcessSourceUserUserId, + "process.source.user.user.name", ProcessSourceUserUserName, + "process.user.domain", ProcessUserDomain, + "process.user.email", ProcessUserEmail, + "process.user.full_name", ProcessUserFullName, + "process.user.hash", ProcessUserHash, + "process.user.id", ProcessUserId, + "process.user.name", ProcessUserName, + "process.user.group.domain", ProcessUserGroupDomain, + "process.user.group.id", ProcessUserGroupId, + "process.user.group.name", ProcessUserGroupName, + "process.user.risk.calculated_level", ProcessUserRiskCalculatedLevel, + "process.user.risk.calculated_score", ProcessUserRiskCalculatedScore, + "process.user.risk.calculated_score_norm", ProcessUserRiskCalculatedScoreNorm, + "process.user.risk.static_level", ProcessUserRiskStaticLevel, + "process.user.risk.static_score", ProcessUserRiskStaticScore, + "process.user.risk.static_score_norm", ProcessUserRiskStaticScoreNorm, + "process.user.user.domain", ProcessUserUserDomain, + "process.user.user.email", ProcessUserUserEmail, + "process.user.user.full_name", ProcessUserUserFullName, + "process.user.user.hash", ProcessUserUserHash, + "process.user.user.id", ProcessUserUserId, + "process.user.user.name", ProcessUserUserName, + "process.process.args_count", ProcessProcessArgsCount, + "process.process.command_line", ProcessProcessCommandLine, + "process.process.end", ProcessProcessEnd, + "process.process.entity_id", ProcessProcessEntityId, + "process.process.executable", ProcessProcessExecutable, + "process.process.exit_code", ProcessProcessExitCode, + "process.process.interactive", ProcessProcessInteractive, + "process.process.name", ProcessProcessName, + "process.process.pgid", ProcessProcessPgid, + "process.process.pid", ProcessProcessPid, + "process.process.start", ProcessProcessStart, + "process.process.thread.id", ProcessProcessThreadId, + "process.process.thread.name", ProcessProcessThreadName, + "process.process.title", ProcessProcessTitle, + "process.process.uptime", ProcessProcessUptime, + "process.process.vpid", ProcessProcessVpid, + "process.process.working_directory", ProcessProcessWorkingDirectory, + "process.process.parent.process.args_count", ProcessProcessParentProcessArgsCount, + "process.process.parent.process.command_line", ProcessProcessParentProcessCommandLine, + "process.process.parent.process.end", ProcessProcessParentProcessEnd, + "process.process.parent.process.entity_id", ProcessProcessParentProcessEntityId, + "process.process.parent.process.executable", ProcessProcessParentProcessExecutable, + "process.process.parent.process.exit_code", ProcessProcessParentProcessExitCode, + "process.process.parent.process.interactive", ProcessProcessParentProcessInteractive, + "process.process.parent.process.name", ProcessProcessParentProcessName, + "process.process.parent.process.pgid", ProcessProcessParentProcessPgid, + "process.process.parent.process.pid", ProcessProcessParentProcessPid, + "process.process.parent.process.start", ProcessProcessParentProcessStart, + "process.process.parent.process.thread.id", ProcessProcessParentProcessThreadId, + "process.process.parent.process.thread.name", ProcessProcessParentProcessThreadName, + "process.process.parent.process.title", ProcessProcessParentProcessTitle, + "process.process.parent.process.uptime", ProcessProcessParentProcessUptime, + "process.process.parent.process.vpid", ProcessProcessParentProcessVpid, + "process.process.parent.process.working_directory", ProcessProcessParentProcessWorkingDirectory, + "process.process.entry_leader.process.args_count", ProcessProcessEntryLeaderProcessArgsCount, + "process.process.entry_leader.process.command_line", ProcessProcessEntryLeaderProcessCommandLine, + "process.process.entry_leader.process.end", ProcessProcessEntryLeaderProcessEnd, + "process.process.entry_leader.process.entity_id", ProcessProcessEntryLeaderProcessEntityId, + "process.process.entry_leader.process.executable", ProcessProcessEntryLeaderProcessExecutable, + "process.process.entry_leader.process.exit_code", ProcessProcessEntryLeaderProcessExitCode, + "process.process.entry_leader.process.interactive", ProcessProcessEntryLeaderProcessInteractive, + "process.process.entry_leader.process.name", ProcessProcessEntryLeaderProcessName, + "process.process.entry_leader.process.pgid", ProcessProcessEntryLeaderProcessPgid, + "process.process.entry_leader.process.pid", ProcessProcessEntryLeaderProcessPid, + "process.process.entry_leader.process.start", ProcessProcessEntryLeaderProcessStart, + "process.process.entry_leader.process.thread.id", ProcessProcessEntryLeaderProcessThreadId, + "process.process.entry_leader.process.thread.name", ProcessProcessEntryLeaderProcessThreadName, + "process.process.entry_leader.process.title", ProcessProcessEntryLeaderProcessTitle, + "process.process.entry_leader.process.uptime", ProcessProcessEntryLeaderProcessUptime, + "process.process.entry_leader.process.vpid", ProcessProcessEntryLeaderProcessVpid, + "process.process.entry_leader.process.working_directory", ProcessProcessEntryLeaderProcessWorkingDirectory, + "process.process.entry_leader.process.entry_leader.parent.process.args_count", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount, + "process.process.entry_leader.process.entry_leader.parent.process.command_line", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine, + "process.process.entry_leader.process.entry_leader.parent.process.end", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd, + "process.process.entry_leader.process.entry_leader.parent.process.entity_id", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId, + "process.process.entry_leader.process.entry_leader.parent.process.executable", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable, + "process.process.entry_leader.process.entry_leader.parent.process.exit_code", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode, + "process.process.entry_leader.process.entry_leader.parent.process.interactive", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive, + "process.process.entry_leader.process.entry_leader.parent.process.name", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName, + "process.process.entry_leader.process.entry_leader.parent.process.pgid", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid, + "process.process.entry_leader.process.entry_leader.parent.process.pid", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid, + "process.process.entry_leader.process.entry_leader.parent.process.start", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart, + "process.process.entry_leader.process.entry_leader.parent.process.thread.id", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId, + "process.process.entry_leader.process.entry_leader.parent.process.thread.name", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName, + "process.process.entry_leader.process.entry_leader.parent.process.title", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle, + "process.process.entry_leader.process.entry_leader.parent.process.uptime", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime, + "process.process.entry_leader.process.entry_leader.parent.process.vpid", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid, + "process.process.entry_leader.process.entry_leader.parent.process.working_directory", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory, + "process.process.session_leader.process.args_count", ProcessProcessSessionLeaderProcessArgsCount, + "process.process.session_leader.process.command_line", ProcessProcessSessionLeaderProcessCommandLine, + "process.process.session_leader.process.end", ProcessProcessSessionLeaderProcessEnd, + "process.process.session_leader.process.entity_id", ProcessProcessSessionLeaderProcessEntityId, + "process.process.session_leader.process.executable", ProcessProcessSessionLeaderProcessExecutable, + "process.process.session_leader.process.exit_code", ProcessProcessSessionLeaderProcessExitCode, + "process.process.session_leader.process.interactive", ProcessProcessSessionLeaderProcessInteractive, + "process.process.session_leader.process.name", ProcessProcessSessionLeaderProcessName, + "process.process.session_leader.process.pgid", ProcessProcessSessionLeaderProcessPgid, + "process.process.session_leader.process.pid", ProcessProcessSessionLeaderProcessPid, + "process.process.session_leader.process.start", ProcessProcessSessionLeaderProcessStart, + "process.process.session_leader.process.thread.id", ProcessProcessSessionLeaderProcessThreadId, + "process.process.session_leader.process.thread.name", ProcessProcessSessionLeaderProcessThreadName, + "process.process.session_leader.process.title", ProcessProcessSessionLeaderProcessTitle, + "process.process.session_leader.process.uptime", ProcessProcessSessionLeaderProcessUptime, + "process.process.session_leader.process.vpid", ProcessProcessSessionLeaderProcessVpid, + "process.process.session_leader.process.working_directory", ProcessProcessSessionLeaderProcessWorkingDirectory, + "process.process.session_leader.process.session_leader.parent.process.args_count", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount, + "process.process.session_leader.process.session_leader.parent.process.command_line", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine, + "process.process.session_leader.process.session_leader.parent.process.end", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd, + "process.process.session_leader.process.session_leader.parent.process.entity_id", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId, + "process.process.session_leader.process.session_leader.parent.process.executable", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable, + "process.process.session_leader.process.session_leader.parent.process.exit_code", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode, + "process.process.session_leader.process.session_leader.parent.process.interactive", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive, + "process.process.session_leader.process.session_leader.parent.process.name", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName, + "process.process.session_leader.process.session_leader.parent.process.pgid", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid, + "process.process.session_leader.process.session_leader.parent.process.pid", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid, + "process.process.session_leader.process.session_leader.parent.process.start", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart, + "process.process.session_leader.process.session_leader.parent.process.thread.id", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId, + "process.process.session_leader.process.session_leader.parent.process.thread.name", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName, + "process.process.session_leader.process.session_leader.parent.process.title", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle, + "process.process.session_leader.process.session_leader.parent.process.uptime", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime, + "process.process.session_leader.process.session_leader.parent.process.vpid", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid, + "process.process.session_leader.process.session_leader.parent.process.working_directory", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory, "registry.data.bytes", RegistryDataBytes, "registry.data.type", RegistryDataType, "registry.hive", RegistryHive, @@ -3640,6 +8584,39 @@ public static class LogTemplateProperties "server.registered_domain", ServerRegisteredDomain, "server.subdomain", ServerSubdomain, "server.top_level_domain", ServerTopLevelDomain, + "server.as.number", ServerAsNumber, + "server.as.organization.name", ServerAsOrganizationName, + "server.geo.city_name", ServerGeoCityName, + "server.geo.continent_code", ServerGeoContinentCode, + "server.geo.continent_name", ServerGeoContinentName, + "server.geo.country_iso_code", ServerGeoCountryIsoCode, + "server.geo.country_name", ServerGeoCountryName, + "server.geo.name", ServerGeoName, + "server.geo.postal_code", ServerGeoPostalCode, + "server.geo.region_iso_code", ServerGeoRegionIsoCode, + "server.geo.region_name", ServerGeoRegionName, + "server.geo.timezone", ServerGeoTimezone, + "server.user.domain", ServerUserDomain, + "server.user.email", ServerUserEmail, + "server.user.full_name", ServerUserFullName, + "server.user.hash", ServerUserHash, + "server.user.id", ServerUserId, + "server.user.name", ServerUserName, + "server.user.group.domain", ServerUserGroupDomain, + "server.user.group.id", ServerUserGroupId, + "server.user.group.name", ServerUserGroupName, + "server.user.risk.calculated_level", ServerUserRiskCalculatedLevel, + "server.user.risk.calculated_score", ServerUserRiskCalculatedScore, + "server.user.risk.calculated_score_norm", ServerUserRiskCalculatedScoreNorm, + "server.user.risk.static_level", ServerUserRiskStaticLevel, + "server.user.risk.static_score", ServerUserRiskStaticScore, + "server.user.risk.static_score_norm", ServerUserRiskStaticScoreNorm, + "server.user.user.domain", ServerUserUserDomain, + "server.user.user.email", ServerUserUserEmail, + "server.user.user.full_name", ServerUserUserFullName, + "server.user.user.hash", ServerUserUserHash, + "server.user.user.id", ServerUserUserId, + "server.user.user.name", ServerUserUserName, "service.address", ServiceAddress, "service.environment", ServiceEnvironment, "service.ephemeral_id", ServiceEphemeralId, @@ -3650,6 +8627,16 @@ public static class LogTemplateProperties "service.state", ServiceState, "service.type", ServiceType, "service.version", ServiceVersion, + "service.service.address", ServiceServiceAddress, + "service.service.environment", ServiceServiceEnvironment, + "service.service.ephemeral_id", ServiceServiceEphemeralId, + "service.service.id", ServiceServiceId, + "service.service.name", ServiceServiceName, + "service.service.node.name", ServiceServiceNodeName, + "service.service.node.role", ServiceServiceNodeRole, + "service.service.state", ServiceServiceState, + "service.service.type", ServiceServiceType, + "service.service.version", ServiceServiceVersion, "source.address", SourceAddress, "source.bytes", SourceBytes, "source.domain", SourceDomain, @@ -3662,6 +8649,39 @@ public static class LogTemplateProperties "source.registered_domain", SourceRegisteredDomain, "source.subdomain", SourceSubdomain, "source.top_level_domain", SourceTopLevelDomain, + "source.as.number", SourceAsNumber, + "source.as.organization.name", SourceAsOrganizationName, + "source.geo.city_name", SourceGeoCityName, + "source.geo.continent_code", SourceGeoContinentCode, + "source.geo.continent_name", SourceGeoContinentName, + "source.geo.country_iso_code", SourceGeoCountryIsoCode, + "source.geo.country_name", SourceGeoCountryName, + "source.geo.name", SourceGeoName, + "source.geo.postal_code", SourceGeoPostalCode, + "source.geo.region_iso_code", SourceGeoRegionIsoCode, + "source.geo.region_name", SourceGeoRegionName, + "source.geo.timezone", SourceGeoTimezone, + "source.user.domain", SourceUserDomain, + "source.user.email", SourceUserEmail, + "source.user.full_name", SourceUserFullName, + "source.user.hash", SourceUserHash, + "source.user.id", SourceUserId, + "source.user.name", SourceUserName, + "source.user.group.domain", SourceUserGroupDomain, + "source.user.group.id", SourceUserGroupId, + "source.user.group.name", SourceUserGroupName, + "source.user.risk.calculated_level", SourceUserRiskCalculatedLevel, + "source.user.risk.calculated_score", SourceUserRiskCalculatedScore, + "source.user.risk.calculated_score_norm", SourceUserRiskCalculatedScoreNorm, + "source.user.risk.static_level", SourceUserRiskStaticLevel, + "source.user.risk.static_score", SourceUserRiskStaticScore, + "source.user.risk.static_score_norm", SourceUserRiskStaticScoreNorm, + "source.user.user.domain", SourceUserUserDomain, + "source.user.user.email", SourceUserUserEmail, + "source.user.user.full_name", SourceUserUserFullName, + "source.user.user.hash", SourceUserUserHash, + "source.user.user.id", SourceUserUserId, + "source.user.user.name", SourceUserUserName, "threat.feed.dashboard_id", ThreatFeedDashboardId, "threat.feed.description", ThreatFeedDescription, "threat.feed.name", ThreatFeedName, @@ -3690,6 +8710,143 @@ public static class LogTemplateProperties "threat.software.name", ThreatSoftwareName, "threat.software.reference", ThreatSoftwareReference, "threat.software.type", ThreatSoftwareType, + "threat.x509.issuer.distinguished_name", ThreatX509IssuerDistinguishedName, + "threat.x509.not_after", ThreatX509NotAfter, + "threat.x509.not_before", ThreatX509NotBefore, + "threat.x509.public_key_algorithm", ThreatX509PublicKeyAlgorithm, + "threat.x509.public_key_curve", ThreatX509PublicKeyCurve, + "threat.x509.public_key_exponent", ThreatX509PublicKeyExponent, + "threat.x509.public_key_size", ThreatX509PublicKeySize, + "threat.x509.serial_number", ThreatX509SerialNumber, + "threat.x509.signature_algorithm", ThreatX509SignatureAlgorithm, + "threat.x509.subject.distinguished_name", ThreatX509SubjectDistinguishedName, + "threat.x509.version_number", ThreatX509VersionNumber, + "threat.as.number", ThreatAsNumber, + "threat.as.organization.name", ThreatAsOrganizationName, + "threat.file.accessed", ThreatFileAccessed, + "threat.file.created", ThreatFileCreated, + "threat.file.ctime", ThreatFileCtime, + "threat.file.device", ThreatFileDevice, + "threat.file.directory", ThreatFileDirectory, + "threat.file.drive_letter", ThreatFileDriveLetter, + "threat.file.extension", ThreatFileExtension, + "threat.file.fork_name", ThreatFileForkName, + "threat.file.gid", ThreatFileGid, + "threat.file.group", ThreatFileGroup, + "threat.file.inode", ThreatFileInode, + "threat.file.mime_type", ThreatFileMimeType, + "threat.file.mode", ThreatFileMode, + "threat.file.mtime", ThreatFileMtime, + "threat.file.name", ThreatFileName, + "threat.file.owner", ThreatFileOwner, + "threat.file.path", ThreatFilePath, + "threat.file.size", ThreatFileSize, + "threat.file.target_path", ThreatFileTargetPath, + "threat.file.type", ThreatFileType, + "threat.file.uid", ThreatFileUid, + "threat.file.hash.md5", ThreatFileHashMd5, + "threat.file.hash.sha1", ThreatFileHashSha1, + "threat.file.hash.sha256", ThreatFileHashSha256, + "threat.file.hash.sha384", ThreatFileHashSha384, + "threat.file.hash.sha512", ThreatFileHashSha512, + "threat.file.hash.ssdeep", ThreatFileHashSsdeep, + "threat.file.hash.tlsh", ThreatFileHashTlsh, + "threat.file.pe.architecture", ThreatFilePeArchitecture, + "threat.file.pe.company", ThreatFilePeCompany, + "threat.file.pe.description", ThreatFilePeDescription, + "threat.file.pe.file_version", ThreatFilePeFileVersion, + "threat.file.pe.go_import_hash", ThreatFilePeGoImportHash, + "threat.file.pe.go_imports", ThreatFilePeGoImports, + "threat.file.pe.go_imports_names_entropy", ThreatFilePeGoImportsNamesEntropy, + "threat.file.pe.go_imports_names_var_entropy", ThreatFilePeGoImportsNamesVarEntropy, + "threat.file.pe.go_stripped", ThreatFilePeGoStripped, + "threat.file.pe.imphash", ThreatFilePeImphash, + "threat.file.pe.import_hash", ThreatFilePeImportHash, + "threat.file.pe.imports_names_entropy", ThreatFilePeImportsNamesEntropy, + "threat.file.pe.imports_names_var_entropy", ThreatFilePeImportsNamesVarEntropy, + "threat.file.pe.original_file_name", ThreatFilePeOriginalFileName, + "threat.file.pe.pehash", ThreatFilePePehash, + "threat.file.pe.product", ThreatFilePeProduct, + "threat.file.x509.issuer.distinguished_name", ThreatFileX509IssuerDistinguishedName, + "threat.file.x509.not_after", ThreatFileX509NotAfter, + "threat.file.x509.not_before", ThreatFileX509NotBefore, + "threat.file.x509.public_key_algorithm", ThreatFileX509PublicKeyAlgorithm, + "threat.file.x509.public_key_curve", ThreatFileX509PublicKeyCurve, + "threat.file.x509.public_key_exponent", ThreatFileX509PublicKeyExponent, + "threat.file.x509.public_key_size", ThreatFileX509PublicKeySize, + "threat.file.x509.serial_number", ThreatFileX509SerialNumber, + "threat.file.x509.signature_algorithm", ThreatFileX509SignatureAlgorithm, + "threat.file.x509.subject.distinguished_name", ThreatFileX509SubjectDistinguishedName, + "threat.file.x509.version_number", ThreatFileX509VersionNumber, + "threat.file.code_signature.digest_algorithm", ThreatFileCodeSignatureDigestAlgorithm, + "threat.file.code_signature.exists", ThreatFileCodeSignatureExists, + "threat.file.code_signature.signing_id", ThreatFileCodeSignatureSigningId, + "threat.file.code_signature.status", ThreatFileCodeSignatureStatus, + "threat.file.code_signature.subject_name", ThreatFileCodeSignatureSubjectName, + "threat.file.code_signature.team_id", ThreatFileCodeSignatureTeamId, + "threat.file.code_signature.timestamp", ThreatFileCodeSignatureTimestamp, + "threat.file.code_signature.trusted", ThreatFileCodeSignatureTrusted, + "threat.file.code_signature.valid", ThreatFileCodeSignatureValid, + "threat.file.elf.architecture", ThreatFileElfArchitecture, + "threat.file.elf.byte_order", ThreatFileElfByteOrder, + "threat.file.elf.cpu_type", ThreatFileElfCpuType, + "threat.file.elf.creation_date", ThreatFileElfCreationDate, + "threat.file.elf.go_import_hash", ThreatFileElfGoImportHash, + "threat.file.elf.go_imports", ThreatFileElfGoImports, + "threat.file.elf.go_imports_names_entropy", ThreatFileElfGoImportsNamesEntropy, + "threat.file.elf.go_imports_names_var_entropy", ThreatFileElfGoImportsNamesVarEntropy, + "threat.file.elf.go_stripped", ThreatFileElfGoStripped, + "threat.file.elf.header.abi_version", ThreatFileElfHeaderAbiVersion, + "threat.file.elf.header.class", ThreatFileElfHeaderClass, + "threat.file.elf.header.data", ThreatFileElfHeaderData, + "threat.file.elf.header.entrypoint", ThreatFileElfHeaderEntrypoint, + "threat.file.elf.header.object_version", ThreatFileElfHeaderObjectVersion, + "threat.file.elf.header.os_abi", ThreatFileElfHeaderOsAbi, + "threat.file.elf.header.type", ThreatFileElfHeaderType, + "threat.file.elf.header.version", ThreatFileElfHeaderVersion, + "threat.file.elf.import_hash", ThreatFileElfImportHash, + "threat.file.elf.imports_names_entropy", ThreatFileElfImportsNamesEntropy, + "threat.file.elf.imports_names_var_entropy", ThreatFileElfImportsNamesVarEntropy, + "threat.file.elf.telfhash", ThreatFileElfTelfhash, + "threat.file.macho.go_import_hash", ThreatFileMachoGoImportHash, + "threat.file.macho.go_imports", ThreatFileMachoGoImports, + "threat.file.macho.go_imports_names_entropy", ThreatFileMachoGoImportsNamesEntropy, + "threat.file.macho.go_imports_names_var_entropy", ThreatFileMachoGoImportsNamesVarEntropy, + "threat.file.macho.go_stripped", ThreatFileMachoGoStripped, + "threat.file.macho.import_hash", ThreatFileMachoImportHash, + "threat.file.macho.imports_names_entropy", ThreatFileMachoImportsNamesEntropy, + "threat.file.macho.imports_names_var_entropy", ThreatFileMachoImportsNamesVarEntropy, + "threat.file.macho.symhash", ThreatFileMachoSymhash, + "threat.geo.city_name", ThreatGeoCityName, + "threat.geo.continent_code", ThreatGeoContinentCode, + "threat.geo.continent_name", ThreatGeoContinentName, + "threat.geo.country_iso_code", ThreatGeoCountryIsoCode, + "threat.geo.country_name", ThreatGeoCountryName, + "threat.geo.name", ThreatGeoName, + "threat.geo.postal_code", ThreatGeoPostalCode, + "threat.geo.region_iso_code", ThreatGeoRegionIsoCode, + "threat.geo.region_name", ThreatGeoRegionName, + "threat.geo.timezone", ThreatGeoTimezone, + "threat.registry.data.bytes", ThreatRegistryDataBytes, + "threat.registry.data.type", ThreatRegistryDataType, + "threat.registry.hive", ThreatRegistryHive, + "threat.registry.key", ThreatRegistryKey, + "threat.registry.path", ThreatRegistryPath, + "threat.registry.value", ThreatRegistryValue, + "threat.url.domain", ThreatUrlDomain, + "threat.url.extension", ThreatUrlExtension, + "threat.url.fragment", ThreatUrlFragment, + "threat.url.full", ThreatUrlFull, + "threat.url.original", ThreatUrlOriginal, + "threat.url.password", ThreatUrlPassword, + "threat.url.path", ThreatUrlPath, + "threat.url.port", ThreatUrlPort, + "threat.url.query", ThreatUrlQuery, + "threat.url.registered_domain", ThreatUrlRegisteredDomain, + "threat.url.scheme", ThreatUrlScheme, + "threat.url.subdomain", ThreatUrlSubdomain, + "threat.url.top_level_domain", ThreatUrlTopLevelDomain, + "threat.url.username", ThreatUrlUsername, "tls.cipher", TlsCipher, "tls.client.certificate", TlsClientCertificate, "tls.client.hash.md5", TlsClientHashMd5, @@ -3716,6 +8873,17 @@ public static class LogTemplateProperties "tls.server.subject", TlsServerSubject, "tls.version", TlsVersion, "tls.version_protocol", TlsVersionProtocol, + "tls.x509.issuer.distinguished_name", TlsX509IssuerDistinguishedName, + "tls.x509.not_after", TlsX509NotAfter, + "tls.x509.not_before", TlsX509NotBefore, + "tls.x509.public_key_algorithm", TlsX509PublicKeyAlgorithm, + "tls.x509.public_key_curve", TlsX509PublicKeyCurve, + "tls.x509.public_key_exponent", TlsX509PublicKeyExponent, + "tls.x509.public_key_size", TlsX509PublicKeySize, + "tls.x509.serial_number", TlsX509SerialNumber, + "tls.x509.signature_algorithm", TlsX509SignatureAlgorithm, + "tls.x509.subject.distinguished_name", TlsX509SubjectDistinguishedName, + "tls.x509.version_number", TlsX509VersionNumber, "url.domain", UrlDomain, "url.extension", UrlExtension, "url.fragment", UrlFragment, @@ -3736,10 +8904,32 @@ public static class LogTemplateProperties "user.hash", UserHash, "user.id", UserId, "user.name", UserName, + "user.group.domain", UserGroupDomain, + "user.group.id", UserGroupId, + "user.group.name", UserGroupName, + "user.risk.calculated_level", UserRiskCalculatedLevel, + "user.risk.calculated_score", UserRiskCalculatedScore, + "user.risk.calculated_score_norm", UserRiskCalculatedScoreNorm, + "user.risk.static_level", UserRiskStaticLevel, + "user.risk.static_score", UserRiskStaticScore, + "user.risk.static_score_norm", UserRiskStaticScoreNorm, + "user.user.domain", UserUserDomain, + "user.user.email", UserUserEmail, + "user.user.full_name", UserUserFullName, + "user.user.hash", UserUserHash, + "user.user.id", UserUserId, + "user.user.name", UserUserName, "user_agent.device.name", UserAgentDeviceName, "user_agent.name", UserAgentName, "user_agent.original", UserAgentOriginal, "user_agent.version", UserAgentVersion, + "user_agent.os.family", UserAgentOsFamily, + "user_agent.os.full", UserAgentOsFull, + "user_agent.os.kernel", UserAgentOsKernel, + "user_agent.os.name", UserAgentOsName, + "user_agent.os.platform", UserAgentOsPlatform, + "user_agent.os.type", UserAgentOsType, + "user_agent.os.version", UserAgentOsVersion, "vlan.id", VlanId, "vlan.name", VlanName, "vulnerability.classification", VulnerabilityClassification, diff --git a/src/Elastic.CommonSchema/PropDispatch.Generated.cs b/src/Elastic.CommonSchema/PropDispatch.Generated.cs index c3cbc6a4..0d7476e1 100644 --- a/src/Elastic.CommonSchema/PropDispatch.Generated.cs +++ b/src/Elastic.CommonSchema/PropDispatch.Generated.cs @@ -5,7 +5,7 @@ /* IMPORTANT NOTE ============== -This file has been generated. +This file has been generated. If you wish to submit a PR please modify the original csharp file and submit the PR with that change. Thanks! */ @@ -24,7 +24,7 @@ If you wish to submit a PR please modify the original csharp file and submit the namespace Elastic.CommonSchema { /// - public partial class EcsDocument : BaseFieldSet + public partial class EcsDocument : BaseFieldSet { /// /// Set ECS fields by name on . @@ -43,9 +43,9 @@ public partial class EcsDocument : BaseFieldSet public void AssignField(string path, object value) { var assigned = LogTemplateProperties.All.Contains(path) && TrySet(this, path, value); - if (!assigned && LogTemplateEntities.All.Contains(path)) + if (!assigned && LogTemplateEntities.All.Contains(path)) assigned = TrySetEntity(this, path, value); - if (!assigned) + if (!assigned) SetMetaOrLabel(this, path, value); } } @@ -652,9 +652,9 @@ bool TypeCheck(Dictionary templatedObject, string typeName) => } } - internal static bool TrySet(EcsDocument document, string path, object value) + internal static bool TrySet(EcsDocument document, string path, object value) { - switch (path) + switch (path) { case "@timestamp": case "Timestamp": @@ -709,6 +709,72 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ClientSubdomain": case "client.top_level_domain": case "ClientTopLevelDomain": + case "client.as.number": + case "ClientAsNumber": + case "client.as.organization.name": + case "ClientAsOrganizationName": + case "client.geo.city_name": + case "ClientGeoCityName": + case "client.geo.continent_code": + case "ClientGeoContinentCode": + case "client.geo.continent_name": + case "ClientGeoContinentName": + case "client.geo.country_iso_code": + case "ClientGeoCountryIsoCode": + case "client.geo.country_name": + case "ClientGeoCountryName": + case "client.geo.name": + case "ClientGeoName": + case "client.geo.postal_code": + case "ClientGeoPostalCode": + case "client.geo.region_iso_code": + case "ClientGeoRegionIsoCode": + case "client.geo.region_name": + case "ClientGeoRegionName": + case "client.geo.timezone": + case "ClientGeoTimezone": + case "client.user.domain": + case "ClientUserDomain": + case "client.user.email": + case "ClientUserEmail": + case "client.user.full_name": + case "ClientUserFullName": + case "client.user.hash": + case "ClientUserHash": + case "client.user.id": + case "ClientUserId": + case "client.user.name": + case "ClientUserName": + case "client.user.group.domain": + case "ClientUserGroupDomain": + case "client.user.group.id": + case "ClientUserGroupId": + case "client.user.group.name": + case "ClientUserGroupName": + case "client.user.risk.calculated_level": + case "ClientUserRiskCalculatedLevel": + case "client.user.risk.calculated_score": + case "ClientUserRiskCalculatedScore": + case "client.user.risk.calculated_score_norm": + case "ClientUserRiskCalculatedScoreNorm": + case "client.user.risk.static_level": + case "ClientUserRiskStaticLevel": + case "client.user.risk.static_score": + case "ClientUserRiskStaticScore": + case "client.user.risk.static_score_norm": + case "ClientUserRiskStaticScoreNorm": + case "client.user.user.domain": + case "ClientUserUserDomain": + case "client.user.user.email": + case "ClientUserUserEmail": + case "client.user.user.full_name": + case "ClientUserUserFullName": + case "client.user.user.hash": + case "ClientUserUserHash": + case "client.user.user.id": + case "ClientUserUserId": + case "client.user.user.name": + case "ClientUserUserName": return TrySetClient(document, path, value); case "cloud.account.id": case "CloudAccountId": @@ -732,6 +798,28 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "CloudRegion": case "cloud.service.name": case "CloudServiceName": + case "cloud.cloud.account.id": + case "CloudCloudAccountId": + case "cloud.cloud.account.name": + case "CloudCloudAccountName": + case "cloud.cloud.availability_zone": + case "CloudCloudAvailabilityZone": + case "cloud.cloud.instance.id": + case "CloudCloudInstanceId": + case "cloud.cloud.instance.name": + case "CloudCloudInstanceName": + case "cloud.cloud.machine.type": + case "CloudCloudMachineType": + case "cloud.cloud.project.id": + case "CloudCloudProjectId": + case "cloud.cloud.project.name": + case "CloudCloudProjectName": + case "cloud.cloud.provider": + case "CloudCloudProvider": + case "cloud.cloud.region": + case "CloudCloudRegion": + case "cloud.cloud.service.name": + case "CloudCloudServiceName": return TrySetCloud(document, path, value); case "code_signature.digest_algorithm": case "CodeSignatureDigestAlgorithm": @@ -806,6 +894,72 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "DestinationSubdomain": case "destination.top_level_domain": case "DestinationTopLevelDomain": + case "destination.as.number": + case "DestinationAsNumber": + case "destination.as.organization.name": + case "DestinationAsOrganizationName": + case "destination.geo.city_name": + case "DestinationGeoCityName": + case "destination.geo.continent_code": + case "DestinationGeoContinentCode": + case "destination.geo.continent_name": + case "DestinationGeoContinentName": + case "destination.geo.country_iso_code": + case "DestinationGeoCountryIsoCode": + case "destination.geo.country_name": + case "DestinationGeoCountryName": + case "destination.geo.name": + case "DestinationGeoName": + case "destination.geo.postal_code": + case "DestinationGeoPostalCode": + case "destination.geo.region_iso_code": + case "DestinationGeoRegionIsoCode": + case "destination.geo.region_name": + case "DestinationGeoRegionName": + case "destination.geo.timezone": + case "DestinationGeoTimezone": + case "destination.user.domain": + case "DestinationUserDomain": + case "destination.user.email": + case "DestinationUserEmail": + case "destination.user.full_name": + case "DestinationUserFullName": + case "destination.user.hash": + case "DestinationUserHash": + case "destination.user.id": + case "DestinationUserId": + case "destination.user.name": + case "DestinationUserName": + case "destination.user.group.domain": + case "DestinationUserGroupDomain": + case "destination.user.group.id": + case "DestinationUserGroupId": + case "destination.user.group.name": + case "DestinationUserGroupName": + case "destination.user.risk.calculated_level": + case "DestinationUserRiskCalculatedLevel": + case "destination.user.risk.calculated_score": + case "DestinationUserRiskCalculatedScore": + case "destination.user.risk.calculated_score_norm": + case "DestinationUserRiskCalculatedScoreNorm": + case "destination.user.risk.static_level": + case "DestinationUserRiskStaticLevel": + case "destination.user.risk.static_score": + case "DestinationUserRiskStaticScore": + case "destination.user.risk.static_score_norm": + case "DestinationUserRiskStaticScoreNorm": + case "destination.user.user.domain": + case "DestinationUserUserDomain": + case "destination.user.user.email": + case "DestinationUserUserEmail": + case "destination.user.user.full_name": + case "DestinationUserUserFullName": + case "destination.user.user.hash": + case "DestinationUserUserHash": + case "destination.user.user.id": + case "DestinationUserUserId": + case "destination.user.user.name": + case "DestinationUserUserName": return TrySetDestination(document, path, value); case "device.id": case "DeviceId": @@ -820,6 +974,70 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "DllName": case "dll.path": case "DllPath": + case "dll.hash.md5": + case "DllHashMd5": + case "dll.hash.sha1": + case "DllHashSha1": + case "dll.hash.sha256": + case "DllHashSha256": + case "dll.hash.sha384": + case "DllHashSha384": + case "dll.hash.sha512": + case "DllHashSha512": + case "dll.hash.ssdeep": + case "DllHashSsdeep": + case "dll.hash.tlsh": + case "DllHashTlsh": + case "dll.pe.architecture": + case "DllPeArchitecture": + case "dll.pe.company": + case "DllPeCompany": + case "dll.pe.description": + case "DllPeDescription": + case "dll.pe.file_version": + case "DllPeFileVersion": + case "dll.pe.go_import_hash": + case "DllPeGoImportHash": + case "dll.pe.go_imports": + case "DllPeGoImports": + case "dll.pe.go_imports_names_entropy": + case "DllPeGoImportsNamesEntropy": + case "dll.pe.go_imports_names_var_entropy": + case "DllPeGoImportsNamesVarEntropy": + case "dll.pe.go_stripped": + case "DllPeGoStripped": + case "dll.pe.imphash": + case "DllPeImphash": + case "dll.pe.import_hash": + case "DllPeImportHash": + case "dll.pe.imports_names_entropy": + case "DllPeImportsNamesEntropy": + case "dll.pe.imports_names_var_entropy": + case "DllPeImportsNamesVarEntropy": + case "dll.pe.original_file_name": + case "DllPeOriginalFileName": + case "dll.pe.pehash": + case "DllPePehash": + case "dll.pe.product": + case "DllPeProduct": + case "dll.code_signature.digest_algorithm": + case "DllCodeSignatureDigestAlgorithm": + case "dll.code_signature.exists": + case "DllCodeSignatureExists": + case "dll.code_signature.signing_id": + case "DllCodeSignatureSigningId": + case "dll.code_signature.status": + case "DllCodeSignatureStatus": + case "dll.code_signature.subject_name": + case "DllCodeSignatureSubjectName": + case "dll.code_signature.team_id": + case "DllCodeSignatureTeamId": + case "dll.code_signature.timestamp": + case "DllCodeSignatureTimestamp": + case "dll.code_signature.trusted": + case "DllCodeSignatureTrusted": + case "dll.code_signature.valid": + case "DllCodeSignatureValid": return TrySetDll(document, path, value); case "dns.id": case "DnsId": @@ -1024,6 +1242,152 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "FileType": case "file.uid": case "FileUid": + case "file.hash.md5": + case "FileHashMd5": + case "file.hash.sha1": + case "FileHashSha1": + case "file.hash.sha256": + case "FileHashSha256": + case "file.hash.sha384": + case "FileHashSha384": + case "file.hash.sha512": + case "FileHashSha512": + case "file.hash.ssdeep": + case "FileHashSsdeep": + case "file.hash.tlsh": + case "FileHashTlsh": + case "file.pe.architecture": + case "FilePeArchitecture": + case "file.pe.company": + case "FilePeCompany": + case "file.pe.description": + case "FilePeDescription": + case "file.pe.file_version": + case "FilePeFileVersion": + case "file.pe.go_import_hash": + case "FilePeGoImportHash": + case "file.pe.go_imports": + case "FilePeGoImports": + case "file.pe.go_imports_names_entropy": + case "FilePeGoImportsNamesEntropy": + case "file.pe.go_imports_names_var_entropy": + case "FilePeGoImportsNamesVarEntropy": + case "file.pe.go_stripped": + case "FilePeGoStripped": + case "file.pe.imphash": + case "FilePeImphash": + case "file.pe.import_hash": + case "FilePeImportHash": + case "file.pe.imports_names_entropy": + case "FilePeImportsNamesEntropy": + case "file.pe.imports_names_var_entropy": + case "FilePeImportsNamesVarEntropy": + case "file.pe.original_file_name": + case "FilePeOriginalFileName": + case "file.pe.pehash": + case "FilePePehash": + case "file.pe.product": + case "FilePeProduct": + case "file.x509.issuer.distinguished_name": + case "FileX509IssuerDistinguishedName": + case "file.x509.not_after": + case "FileX509NotAfter": + case "file.x509.not_before": + case "FileX509NotBefore": + case "file.x509.public_key_algorithm": + case "FileX509PublicKeyAlgorithm": + case "file.x509.public_key_curve": + case "FileX509PublicKeyCurve": + case "file.x509.public_key_exponent": + case "FileX509PublicKeyExponent": + case "file.x509.public_key_size": + case "FileX509PublicKeySize": + case "file.x509.serial_number": + case "FileX509SerialNumber": + case "file.x509.signature_algorithm": + case "FileX509SignatureAlgorithm": + case "file.x509.subject.distinguished_name": + case "FileX509SubjectDistinguishedName": + case "file.x509.version_number": + case "FileX509VersionNumber": + case "file.code_signature.digest_algorithm": + case "FileCodeSignatureDigestAlgorithm": + case "file.code_signature.exists": + case "FileCodeSignatureExists": + case "file.code_signature.signing_id": + case "FileCodeSignatureSigningId": + case "file.code_signature.status": + case "FileCodeSignatureStatus": + case "file.code_signature.subject_name": + case "FileCodeSignatureSubjectName": + case "file.code_signature.team_id": + case "FileCodeSignatureTeamId": + case "file.code_signature.timestamp": + case "FileCodeSignatureTimestamp": + case "file.code_signature.trusted": + case "FileCodeSignatureTrusted": + case "file.code_signature.valid": + case "FileCodeSignatureValid": + case "file.elf.architecture": + case "FileElfArchitecture": + case "file.elf.byte_order": + case "FileElfByteOrder": + case "file.elf.cpu_type": + case "FileElfCpuType": + case "file.elf.creation_date": + case "FileElfCreationDate": + case "file.elf.go_import_hash": + case "FileElfGoImportHash": + case "file.elf.go_imports": + case "FileElfGoImports": + case "file.elf.go_imports_names_entropy": + case "FileElfGoImportsNamesEntropy": + case "file.elf.go_imports_names_var_entropy": + case "FileElfGoImportsNamesVarEntropy": + case "file.elf.go_stripped": + case "FileElfGoStripped": + case "file.elf.header.abi_version": + case "FileElfHeaderAbiVersion": + case "file.elf.header.class": + case "FileElfHeaderClass": + case "file.elf.header.data": + case "FileElfHeaderData": + case "file.elf.header.entrypoint": + case "FileElfHeaderEntrypoint": + case "file.elf.header.object_version": + case "FileElfHeaderObjectVersion": + case "file.elf.header.os_abi": + case "FileElfHeaderOsAbi": + case "file.elf.header.type": + case "FileElfHeaderType": + case "file.elf.header.version": + case "FileElfHeaderVersion": + case "file.elf.import_hash": + case "FileElfImportHash": + case "file.elf.imports_names_entropy": + case "FileElfImportsNamesEntropy": + case "file.elf.imports_names_var_entropy": + case "FileElfImportsNamesVarEntropy": + case "file.elf.telfhash": + case "FileElfTelfhash": + case "file.macho.go_import_hash": + case "FileMachoGoImportHash": + case "file.macho.go_imports": + case "FileMachoGoImports": + case "file.macho.go_imports_names_entropy": + case "FileMachoGoImportsNamesEntropy": + case "file.macho.go_imports_names_var_entropy": + case "FileMachoGoImportsNamesVarEntropy": + case "file.macho.go_stripped": + case "FileMachoGoStripped": + case "file.macho.import_hash": + case "FileMachoImportHash": + case "file.macho.imports_names_entropy": + case "FileMachoImportsNamesEntropy": + case "file.macho.imports_names_var_entropy": + case "FileMachoImportsNamesVarEntropy": + case "file.macho.symhash": + case "FileMachoSymhash": return TrySetFile(document, path, value); case "geo.city_name": case "GeoCityName": @@ -1100,6 +1464,52 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "HostType": case "host.uptime": case "HostUptime": + case "host.geo.city_name": + case "HostGeoCityName": + case "host.geo.continent_code": + case "HostGeoContinentCode": + case "host.geo.continent_name": + case "HostGeoContinentName": + case "host.geo.country_iso_code": + case "HostGeoCountryIsoCode": + case "host.geo.country_name": + case "HostGeoCountryName": + case "host.geo.name": + case "HostGeoName": + case "host.geo.postal_code": + case "HostGeoPostalCode": + case "host.geo.region_iso_code": + case "HostGeoRegionIsoCode": + case "host.geo.region_name": + case "HostGeoRegionName": + case "host.geo.timezone": + case "HostGeoTimezone": + case "host.os.family": + case "HostOsFamily": + case "host.os.full": + case "HostOsFull": + case "host.os.kernel": + case "HostOsKernel": + case "host.os.name": + case "HostOsName": + case "host.os.platform": + case "HostOsPlatform": + case "host.os.type": + case "HostOsType": + case "host.os.version": + case "HostOsVersion": + case "host.risk.calculated_level": + case "HostRiskCalculatedLevel": + case "host.risk.calculated_score": + case "HostRiskCalculatedScore": + case "host.risk.calculated_score_norm": + case "HostRiskCalculatedScoreNorm": + case "host.risk.static_level": + case "HostRiskStaticLevel": + case "host.risk.static_score": + case "HostRiskStaticScore": + case "host.risk.static_score_norm": + case "HostRiskStaticScoreNorm": return TrySetHost(document, path, value); case "http.request.body.bytes": case "HttpRequestBodyBytes": @@ -1189,6 +1599,10 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "NetworkTransport": case "network.type": case "NetworkType": + case "network.vlan.id": + case "NetworkVlanId": + case "network.vlan.name": + case "NetworkVlanName": return TrySetNetwork(document, path, value); case "observer.hostname": case "ObserverHostname": @@ -1204,6 +1618,40 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ObserverVendor": case "observer.version": case "ObserverVersion": + case "observer.geo.city_name": + case "ObserverGeoCityName": + case "observer.geo.continent_code": + case "ObserverGeoContinentCode": + case "observer.geo.continent_name": + case "ObserverGeoContinentName": + case "observer.geo.country_iso_code": + case "ObserverGeoCountryIsoCode": + case "observer.geo.country_name": + case "ObserverGeoCountryName": + case "observer.geo.name": + case "ObserverGeoName": + case "observer.geo.postal_code": + case "ObserverGeoPostalCode": + case "observer.geo.region_iso_code": + case "ObserverGeoRegionIsoCode": + case "observer.geo.region_name": + case "ObserverGeoRegionName": + case "observer.geo.timezone": + case "ObserverGeoTimezone": + case "observer.os.family": + case "ObserverOsFamily": + case "observer.os.full": + case "ObserverOsFull": + case "observer.os.kernel": + case "ObserverOsKernel": + case "observer.os.name": + case "ObserverOsName": + case "observer.os.platform": + case "ObserverOsPlatform": + case "observer.os.type": + case "ObserverOsType": + case "observer.os.version": + case "ObserverOsVersion": return TrySetObserver(document, path, value); case "orchestrator.api_version": case "OrchestratorApiVersion": @@ -1344,6 +1792,472 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ProcessVpid": case "process.working_directory": case "ProcessWorkingDirectory": + case "process.group.domain": + case "ProcessGroupDomain": + case "process.group.id": + case "ProcessGroupId": + case "process.group.name": + case "ProcessGroupName": + case "process.hash.md5": + case "ProcessHashMd5": + case "process.hash.sha1": + case "ProcessHashSha1": + case "process.hash.sha256": + case "ProcessHashSha256": + case "process.hash.sha384": + case "ProcessHashSha384": + case "process.hash.sha512": + case "ProcessHashSha512": + case "process.hash.ssdeep": + case "ProcessHashSsdeep": + case "process.hash.tlsh": + case "ProcessHashTlsh": + case "process.pe.architecture": + case "ProcessPeArchitecture": + case "process.pe.company": + case "ProcessPeCompany": + case "process.pe.description": + case "ProcessPeDescription": + case "process.pe.file_version": + case "ProcessPeFileVersion": + case "process.pe.go_import_hash": + case "ProcessPeGoImportHash": + case "process.pe.go_imports": + case "ProcessPeGoImports": + case "process.pe.go_imports_names_entropy": + case "ProcessPeGoImportsNamesEntropy": + case "process.pe.go_imports_names_var_entropy": + case "ProcessPeGoImportsNamesVarEntropy": + case "process.pe.go_stripped": + case "ProcessPeGoStripped": + case "process.pe.imphash": + case "ProcessPeImphash": + case "process.pe.import_hash": + case "ProcessPeImportHash": + case "process.pe.imports_names_entropy": + case "ProcessPeImportsNamesEntropy": + case "process.pe.imports_names_var_entropy": + case "ProcessPeImportsNamesVarEntropy": + case "process.pe.original_file_name": + case "ProcessPeOriginalFileName": + case "process.pe.pehash": + case "ProcessPePehash": + case "process.pe.product": + case "ProcessPeProduct": + case "process.code_signature.digest_algorithm": + case "ProcessCodeSignatureDigestAlgorithm": + case "process.code_signature.exists": + case "ProcessCodeSignatureExists": + case "process.code_signature.signing_id": + case "ProcessCodeSignatureSigningId": + case "process.code_signature.status": + case "ProcessCodeSignatureStatus": + case "process.code_signature.subject_name": + case "ProcessCodeSignatureSubjectName": + case "process.code_signature.team_id": + case "ProcessCodeSignatureTeamId": + case "process.code_signature.timestamp": + case "ProcessCodeSignatureTimestamp": + case "process.code_signature.trusted": + case "ProcessCodeSignatureTrusted": + case "process.code_signature.valid": + case "ProcessCodeSignatureValid": + case "process.elf.architecture": + case "ProcessElfArchitecture": + case "process.elf.byte_order": + case "ProcessElfByteOrder": + case "process.elf.cpu_type": + case "ProcessElfCpuType": + case "process.elf.creation_date": + case "ProcessElfCreationDate": + case "process.elf.go_import_hash": + case "ProcessElfGoImportHash": + case "process.elf.go_imports": + case "ProcessElfGoImports": + case "process.elf.go_imports_names_entropy": + case "ProcessElfGoImportsNamesEntropy": + case "process.elf.go_imports_names_var_entropy": + case "ProcessElfGoImportsNamesVarEntropy": + case "process.elf.go_stripped": + case "ProcessElfGoStripped": + case "process.elf.header.abi_version": + case "ProcessElfHeaderAbiVersion": + case "process.elf.header.class": + case "ProcessElfHeaderClass": + case "process.elf.header.data": + case "ProcessElfHeaderData": + case "process.elf.header.entrypoint": + case "ProcessElfHeaderEntrypoint": + case "process.elf.header.object_version": + case "ProcessElfHeaderObjectVersion": + case "process.elf.header.os_abi": + case "ProcessElfHeaderOsAbi": + case "process.elf.header.type": + case "ProcessElfHeaderType": + case "process.elf.header.version": + case "ProcessElfHeaderVersion": + case "process.elf.import_hash": + case "ProcessElfImportHash": + case "process.elf.imports_names_entropy": + case "ProcessElfImportsNamesEntropy": + case "process.elf.imports_names_var_entropy": + case "ProcessElfImportsNamesVarEntropy": + case "process.elf.telfhash": + case "ProcessElfTelfhash": + case "process.macho.go_import_hash": + case "ProcessMachoGoImportHash": + case "process.macho.go_imports": + case "ProcessMachoGoImports": + case "process.macho.go_imports_names_entropy": + case "ProcessMachoGoImportsNamesEntropy": + case "process.macho.go_imports_names_var_entropy": + case "ProcessMachoGoImportsNamesVarEntropy": + case "process.macho.go_stripped": + case "ProcessMachoGoStripped": + case "process.macho.import_hash": + case "ProcessMachoImportHash": + case "process.macho.imports_names_entropy": + case "ProcessMachoImportsNamesEntropy": + case "process.macho.imports_names_var_entropy": + case "ProcessMachoImportsNamesVarEntropy": + case "process.macho.symhash": + case "ProcessMachoSymhash": + case "process.source.address": + case "ProcessSourceAddress": + case "process.source.bytes": + case "ProcessSourceBytes": + case "process.source.domain": + case "ProcessSourceDomain": + case "process.source.ip": + case "ProcessSourceIp": + case "process.source.mac": + case "ProcessSourceMac": + case "process.source.nat.ip": + case "ProcessSourceNatIp": + case "process.source.nat.port": + case "ProcessSourceNatPort": + case "process.source.packets": + case "ProcessSourcePackets": + case "process.source.port": + case "ProcessSourcePort": + case "process.source.registered_domain": + case "ProcessSourceRegisteredDomain": + case "process.source.subdomain": + case "ProcessSourceSubdomain": + case "process.source.top_level_domain": + case "ProcessSourceTopLevelDomain": + case "process.source.as.number": + case "ProcessSourceAsNumber": + case "process.source.as.organization.name": + case "ProcessSourceAsOrganizationName": + case "process.source.geo.city_name": + case "ProcessSourceGeoCityName": + case "process.source.geo.continent_code": + case "ProcessSourceGeoContinentCode": + case "process.source.geo.continent_name": + case "ProcessSourceGeoContinentName": + case "process.source.geo.country_iso_code": + case "ProcessSourceGeoCountryIsoCode": + case "process.source.geo.country_name": + case "ProcessSourceGeoCountryName": + case "process.source.geo.name": + case "ProcessSourceGeoName": + case "process.source.geo.postal_code": + case "ProcessSourceGeoPostalCode": + case "process.source.geo.region_iso_code": + case "ProcessSourceGeoRegionIsoCode": + case "process.source.geo.region_name": + case "ProcessSourceGeoRegionName": + case "process.source.geo.timezone": + case "ProcessSourceGeoTimezone": + case "process.source.user.domain": + case "ProcessSourceUserDomain": + case "process.source.user.email": + case "ProcessSourceUserEmail": + case "process.source.user.full_name": + case "ProcessSourceUserFullName": + case "process.source.user.hash": + case "ProcessSourceUserHash": + case "process.source.user.id": + case "ProcessSourceUserId": + case "process.source.user.name": + case "ProcessSourceUserName": + case "process.source.user.group.domain": + case "ProcessSourceUserGroupDomain": + case "process.source.user.group.id": + case "ProcessSourceUserGroupId": + case "process.source.user.group.name": + case "ProcessSourceUserGroupName": + case "process.source.user.risk.calculated_level": + case "ProcessSourceUserRiskCalculatedLevel": + case "process.source.user.risk.calculated_score": + case "ProcessSourceUserRiskCalculatedScore": + case "process.source.user.risk.calculated_score_norm": + case "ProcessSourceUserRiskCalculatedScoreNorm": + case "process.source.user.risk.static_level": + case "ProcessSourceUserRiskStaticLevel": + case "process.source.user.risk.static_score": + case "ProcessSourceUserRiskStaticScore": + case "process.source.user.risk.static_score_norm": + case "ProcessSourceUserRiskStaticScoreNorm": + case "process.source.user.user.domain": + case "ProcessSourceUserUserDomain": + case "process.source.user.user.email": + case "ProcessSourceUserUserEmail": + case "process.source.user.user.full_name": + case "ProcessSourceUserUserFullName": + case "process.source.user.user.hash": + case "ProcessSourceUserUserHash": + case "process.source.user.user.id": + case "ProcessSourceUserUserId": + case "process.source.user.user.name": + case "ProcessSourceUserUserName": + case "process.user.domain": + case "ProcessUserDomain": + case "process.user.email": + case "ProcessUserEmail": + case "process.user.full_name": + case "ProcessUserFullName": + case "process.user.hash": + case "ProcessUserHash": + case "process.user.id": + case "ProcessUserId": + case "process.user.name": + case "ProcessUserName": + case "process.user.group.domain": + case "ProcessUserGroupDomain": + case "process.user.group.id": + case "ProcessUserGroupId": + case "process.user.group.name": + case "ProcessUserGroupName": + case "process.user.risk.calculated_level": + case "ProcessUserRiskCalculatedLevel": + case "process.user.risk.calculated_score": + case "ProcessUserRiskCalculatedScore": + case "process.user.risk.calculated_score_norm": + case "ProcessUserRiskCalculatedScoreNorm": + case "process.user.risk.static_level": + case "ProcessUserRiskStaticLevel": + case "process.user.risk.static_score": + case "ProcessUserRiskStaticScore": + case "process.user.risk.static_score_norm": + case "ProcessUserRiskStaticScoreNorm": + case "process.user.user.domain": + case "ProcessUserUserDomain": + case "process.user.user.email": + case "ProcessUserUserEmail": + case "process.user.user.full_name": + case "ProcessUserUserFullName": + case "process.user.user.hash": + case "ProcessUserUserHash": + case "process.user.user.id": + case "ProcessUserUserId": + case "process.user.user.name": + case "ProcessUserUserName": + case "process.process.args_count": + case "ProcessProcessArgsCount": + case "process.process.command_line": + case "ProcessProcessCommandLine": + case "process.process.end": + case "ProcessProcessEnd": + case "process.process.entity_id": + case "ProcessProcessEntityId": + case "process.process.executable": + case "ProcessProcessExecutable": + case "process.process.exit_code": + case "ProcessProcessExitCode": + case "process.process.interactive": + case "ProcessProcessInteractive": + case "process.process.name": + case "ProcessProcessName": + case "process.process.pgid": + case "ProcessProcessPgid": + case "process.process.pid": + case "ProcessProcessPid": + case "process.process.start": + case "ProcessProcessStart": + case "process.process.thread.id": + case "ProcessProcessThreadId": + case "process.process.thread.name": + case "ProcessProcessThreadName": + case "process.process.title": + case "ProcessProcessTitle": + case "process.process.uptime": + case "ProcessProcessUptime": + case "process.process.vpid": + case "ProcessProcessVpid": + case "process.process.working_directory": + case "ProcessProcessWorkingDirectory": + case "process.process.parent.process.args_count": + case "ProcessProcessParentProcessArgsCount": + case "process.process.parent.process.command_line": + case "ProcessProcessParentProcessCommandLine": + case "process.process.parent.process.end": + case "ProcessProcessParentProcessEnd": + case "process.process.parent.process.entity_id": + case "ProcessProcessParentProcessEntityId": + case "process.process.parent.process.executable": + case "ProcessProcessParentProcessExecutable": + case "process.process.parent.process.exit_code": + case "ProcessProcessParentProcessExitCode": + case "process.process.parent.process.interactive": + case "ProcessProcessParentProcessInteractive": + case "process.process.parent.process.name": + case "ProcessProcessParentProcessName": + case "process.process.parent.process.pgid": + case "ProcessProcessParentProcessPgid": + case "process.process.parent.process.pid": + case "ProcessProcessParentProcessPid": + case "process.process.parent.process.start": + case "ProcessProcessParentProcessStart": + case "process.process.parent.process.thread.id": + case "ProcessProcessParentProcessThreadId": + case "process.process.parent.process.thread.name": + case "ProcessProcessParentProcessThreadName": + case "process.process.parent.process.title": + case "ProcessProcessParentProcessTitle": + case "process.process.parent.process.uptime": + case "ProcessProcessParentProcessUptime": + case "process.process.parent.process.vpid": + case "ProcessProcessParentProcessVpid": + case "process.process.parent.process.working_directory": + case "ProcessProcessParentProcessWorkingDirectory": + case "process.process.entry_leader.process.args_count": + case "ProcessProcessEntryLeaderProcessArgsCount": + case "process.process.entry_leader.process.command_line": + case "ProcessProcessEntryLeaderProcessCommandLine": + case "process.process.entry_leader.process.end": + case "ProcessProcessEntryLeaderProcessEnd": + case "process.process.entry_leader.process.entity_id": + case "ProcessProcessEntryLeaderProcessEntityId": + case "process.process.entry_leader.process.executable": + case "ProcessProcessEntryLeaderProcessExecutable": + case "process.process.entry_leader.process.exit_code": + case "ProcessProcessEntryLeaderProcessExitCode": + case "process.process.entry_leader.process.interactive": + case "ProcessProcessEntryLeaderProcessInteractive": + case "process.process.entry_leader.process.name": + case "ProcessProcessEntryLeaderProcessName": + case "process.process.entry_leader.process.pgid": + case "ProcessProcessEntryLeaderProcessPgid": + case "process.process.entry_leader.process.pid": + case "ProcessProcessEntryLeaderProcessPid": + case "process.process.entry_leader.process.start": + case "ProcessProcessEntryLeaderProcessStart": + case "process.process.entry_leader.process.thread.id": + case "ProcessProcessEntryLeaderProcessThreadId": + case "process.process.entry_leader.process.thread.name": + case "ProcessProcessEntryLeaderProcessThreadName": + case "process.process.entry_leader.process.title": + case "ProcessProcessEntryLeaderProcessTitle": + case "process.process.entry_leader.process.uptime": + case "ProcessProcessEntryLeaderProcessUptime": + case "process.process.entry_leader.process.vpid": + case "ProcessProcessEntryLeaderProcessVpid": + case "process.process.entry_leader.process.working_directory": + case "ProcessProcessEntryLeaderProcessWorkingDirectory": + case "process.process.entry_leader.process.entry_leader.parent.process.args_count": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount": + case "process.process.entry_leader.process.entry_leader.parent.process.command_line": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine": + case "process.process.entry_leader.process.entry_leader.parent.process.end": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd": + case "process.process.entry_leader.process.entry_leader.parent.process.entity_id": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId": + case "process.process.entry_leader.process.entry_leader.parent.process.executable": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable": + case "process.process.entry_leader.process.entry_leader.parent.process.exit_code": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode": + case "process.process.entry_leader.process.entry_leader.parent.process.interactive": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive": + case "process.process.entry_leader.process.entry_leader.parent.process.name": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName": + case "process.process.entry_leader.process.entry_leader.parent.process.pgid": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid": + case "process.process.entry_leader.process.entry_leader.parent.process.pid": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid": + case "process.process.entry_leader.process.entry_leader.parent.process.start": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart": + case "process.process.entry_leader.process.entry_leader.parent.process.thread.id": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId": + case "process.process.entry_leader.process.entry_leader.parent.process.thread.name": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName": + case "process.process.entry_leader.process.entry_leader.parent.process.title": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle": + case "process.process.entry_leader.process.entry_leader.parent.process.uptime": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime": + case "process.process.entry_leader.process.entry_leader.parent.process.vpid": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid": + case "process.process.entry_leader.process.entry_leader.parent.process.working_directory": + case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory": + case "process.process.session_leader.process.args_count": + case "ProcessProcessSessionLeaderProcessArgsCount": + case "process.process.session_leader.process.command_line": + case "ProcessProcessSessionLeaderProcessCommandLine": + case "process.process.session_leader.process.end": + case "ProcessProcessSessionLeaderProcessEnd": + case "process.process.session_leader.process.entity_id": + case "ProcessProcessSessionLeaderProcessEntityId": + case "process.process.session_leader.process.executable": + case "ProcessProcessSessionLeaderProcessExecutable": + case "process.process.session_leader.process.exit_code": + case "ProcessProcessSessionLeaderProcessExitCode": + case "process.process.session_leader.process.interactive": + case "ProcessProcessSessionLeaderProcessInteractive": + case "process.process.session_leader.process.name": + case "ProcessProcessSessionLeaderProcessName": + case "process.process.session_leader.process.pgid": + case "ProcessProcessSessionLeaderProcessPgid": + case "process.process.session_leader.process.pid": + case "ProcessProcessSessionLeaderProcessPid": + case "process.process.session_leader.process.start": + case "ProcessProcessSessionLeaderProcessStart": + case "process.process.session_leader.process.thread.id": + case "ProcessProcessSessionLeaderProcessThreadId": + case "process.process.session_leader.process.thread.name": + case "ProcessProcessSessionLeaderProcessThreadName": + case "process.process.session_leader.process.title": + case "ProcessProcessSessionLeaderProcessTitle": + case "process.process.session_leader.process.uptime": + case "ProcessProcessSessionLeaderProcessUptime": + case "process.process.session_leader.process.vpid": + case "ProcessProcessSessionLeaderProcessVpid": + case "process.process.session_leader.process.working_directory": + case "ProcessProcessSessionLeaderProcessWorkingDirectory": + case "process.process.session_leader.process.session_leader.parent.process.args_count": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount": + case "process.process.session_leader.process.session_leader.parent.process.command_line": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine": + case "process.process.session_leader.process.session_leader.parent.process.end": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd": + case "process.process.session_leader.process.session_leader.parent.process.entity_id": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId": + case "process.process.session_leader.process.session_leader.parent.process.executable": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable": + case "process.process.session_leader.process.session_leader.parent.process.exit_code": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode": + case "process.process.session_leader.process.session_leader.parent.process.interactive": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive": + case "process.process.session_leader.process.session_leader.parent.process.name": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName": + case "process.process.session_leader.process.session_leader.parent.process.pgid": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid": + case "process.process.session_leader.process.session_leader.parent.process.pid": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid": + case "process.process.session_leader.process.session_leader.parent.process.start": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart": + case "process.process.session_leader.process.session_leader.parent.process.thread.id": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId": + case "process.process.session_leader.process.session_leader.parent.process.thread.name": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName": + case "process.process.session_leader.process.session_leader.parent.process.title": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle": + case "process.process.session_leader.process.session_leader.parent.process.uptime": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime": + case "process.process.session_leader.process.session_leader.parent.process.vpid": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid": + case "process.process.session_leader.process.session_leader.parent.process.working_directory": + case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory": return TrySetProcess(document, path, value); case "registry.data.bytes": case "RegistryDataBytes": @@ -1414,6 +2328,72 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ServerSubdomain": case "server.top_level_domain": case "ServerTopLevelDomain": + case "server.as.number": + case "ServerAsNumber": + case "server.as.organization.name": + case "ServerAsOrganizationName": + case "server.geo.city_name": + case "ServerGeoCityName": + case "server.geo.continent_code": + case "ServerGeoContinentCode": + case "server.geo.continent_name": + case "ServerGeoContinentName": + case "server.geo.country_iso_code": + case "ServerGeoCountryIsoCode": + case "server.geo.country_name": + case "ServerGeoCountryName": + case "server.geo.name": + case "ServerGeoName": + case "server.geo.postal_code": + case "ServerGeoPostalCode": + case "server.geo.region_iso_code": + case "ServerGeoRegionIsoCode": + case "server.geo.region_name": + case "ServerGeoRegionName": + case "server.geo.timezone": + case "ServerGeoTimezone": + case "server.user.domain": + case "ServerUserDomain": + case "server.user.email": + case "ServerUserEmail": + case "server.user.full_name": + case "ServerUserFullName": + case "server.user.hash": + case "ServerUserHash": + case "server.user.id": + case "ServerUserId": + case "server.user.name": + case "ServerUserName": + case "server.user.group.domain": + case "ServerUserGroupDomain": + case "server.user.group.id": + case "ServerUserGroupId": + case "server.user.group.name": + case "ServerUserGroupName": + case "server.user.risk.calculated_level": + case "ServerUserRiskCalculatedLevel": + case "server.user.risk.calculated_score": + case "ServerUserRiskCalculatedScore": + case "server.user.risk.calculated_score_norm": + case "ServerUserRiskCalculatedScoreNorm": + case "server.user.risk.static_level": + case "ServerUserRiskStaticLevel": + case "server.user.risk.static_score": + case "ServerUserRiskStaticScore": + case "server.user.risk.static_score_norm": + case "ServerUserRiskStaticScoreNorm": + case "server.user.user.domain": + case "ServerUserUserDomain": + case "server.user.user.email": + case "ServerUserUserEmail": + case "server.user.user.full_name": + case "ServerUserUserFullName": + case "server.user.user.hash": + case "ServerUserUserHash": + case "server.user.user.id": + case "ServerUserUserId": + case "server.user.user.name": + case "ServerUserUserName": return TrySetServer(document, path, value); case "service.address": case "ServiceAddress": @@ -1435,6 +2415,26 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ServiceType": case "service.version": case "ServiceVersion": + case "service.service.address": + case "ServiceServiceAddress": + case "service.service.environment": + case "ServiceServiceEnvironment": + case "service.service.ephemeral_id": + case "ServiceServiceEphemeralId": + case "service.service.id": + case "ServiceServiceId": + case "service.service.name": + case "ServiceServiceName": + case "service.service.node.name": + case "ServiceServiceNodeName": + case "service.service.node.role": + case "ServiceServiceNodeRole": + case "service.service.state": + case "ServiceServiceState": + case "service.service.type": + case "ServiceServiceType": + case "service.service.version": + case "ServiceServiceVersion": return TrySetService(document, path, value); case "source.address": case "SourceAddress": @@ -1460,6 +2460,72 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "SourceSubdomain": case "source.top_level_domain": case "SourceTopLevelDomain": + case "source.as.number": + case "SourceAsNumber": + case "source.as.organization.name": + case "SourceAsOrganizationName": + case "source.geo.city_name": + case "SourceGeoCityName": + case "source.geo.continent_code": + case "SourceGeoContinentCode": + case "source.geo.continent_name": + case "SourceGeoContinentName": + case "source.geo.country_iso_code": + case "SourceGeoCountryIsoCode": + case "source.geo.country_name": + case "SourceGeoCountryName": + case "source.geo.name": + case "SourceGeoName": + case "source.geo.postal_code": + case "SourceGeoPostalCode": + case "source.geo.region_iso_code": + case "SourceGeoRegionIsoCode": + case "source.geo.region_name": + case "SourceGeoRegionName": + case "source.geo.timezone": + case "SourceGeoTimezone": + case "source.user.domain": + case "SourceUserDomain": + case "source.user.email": + case "SourceUserEmail": + case "source.user.full_name": + case "SourceUserFullName": + case "source.user.hash": + case "SourceUserHash": + case "source.user.id": + case "SourceUserId": + case "source.user.name": + case "SourceUserName": + case "source.user.group.domain": + case "SourceUserGroupDomain": + case "source.user.group.id": + case "SourceUserGroupId": + case "source.user.group.name": + case "SourceUserGroupName": + case "source.user.risk.calculated_level": + case "SourceUserRiskCalculatedLevel": + case "source.user.risk.calculated_score": + case "SourceUserRiskCalculatedScore": + case "source.user.risk.calculated_score_norm": + case "SourceUserRiskCalculatedScoreNorm": + case "source.user.risk.static_level": + case "SourceUserRiskStaticLevel": + case "source.user.risk.static_score": + case "SourceUserRiskStaticScore": + case "source.user.risk.static_score_norm": + case "SourceUserRiskStaticScoreNorm": + case "source.user.user.domain": + case "SourceUserUserDomain": + case "source.user.user.email": + case "SourceUserUserEmail": + case "source.user.user.full_name": + case "SourceUserUserFullName": + case "source.user.user.hash": + case "SourceUserUserHash": + case "source.user.user.id": + case "SourceUserUserId": + case "source.user.user.name": + case "SourceUserUserName": return TrySetSource(document, path, value); case "threat.feed.dashboard_id": case "ThreatFeedDashboardId": @@ -1517,6 +2583,280 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ThreatSoftwareReference": case "threat.software.type": case "ThreatSoftwareType": + case "threat.x509.issuer.distinguished_name": + case "ThreatX509IssuerDistinguishedName": + case "threat.x509.not_after": + case "ThreatX509NotAfter": + case "threat.x509.not_before": + case "ThreatX509NotBefore": + case "threat.x509.public_key_algorithm": + case "ThreatX509PublicKeyAlgorithm": + case "threat.x509.public_key_curve": + case "ThreatX509PublicKeyCurve": + case "threat.x509.public_key_exponent": + case "ThreatX509PublicKeyExponent": + case "threat.x509.public_key_size": + case "ThreatX509PublicKeySize": + case "threat.x509.serial_number": + case "ThreatX509SerialNumber": + case "threat.x509.signature_algorithm": + case "ThreatX509SignatureAlgorithm": + case "threat.x509.subject.distinguished_name": + case "ThreatX509SubjectDistinguishedName": + case "threat.x509.version_number": + case "ThreatX509VersionNumber": + case "threat.as.number": + case "ThreatAsNumber": + case "threat.as.organization.name": + case "ThreatAsOrganizationName": + case "threat.file.accessed": + case "ThreatFileAccessed": + case "threat.file.created": + case "ThreatFileCreated": + case "threat.file.ctime": + case "ThreatFileCtime": + case "threat.file.device": + case "ThreatFileDevice": + case "threat.file.directory": + case "ThreatFileDirectory": + case "threat.file.drive_letter": + case "ThreatFileDriveLetter": + case "threat.file.extension": + case "ThreatFileExtension": + case "threat.file.fork_name": + case "ThreatFileForkName": + case "threat.file.gid": + case "ThreatFileGid": + case "threat.file.group": + case "ThreatFileGroup": + case "threat.file.inode": + case "ThreatFileInode": + case "threat.file.mime_type": + case "ThreatFileMimeType": + case "threat.file.mode": + case "ThreatFileMode": + case "threat.file.mtime": + case "ThreatFileMtime": + case "threat.file.name": + case "ThreatFileName": + case "threat.file.owner": + case "ThreatFileOwner": + case "threat.file.path": + case "ThreatFilePath": + case "threat.file.size": + case "ThreatFileSize": + case "threat.file.target_path": + case "ThreatFileTargetPath": + case "threat.file.type": + case "ThreatFileType": + case "threat.file.uid": + case "ThreatFileUid": + case "threat.file.hash.md5": + case "ThreatFileHashMd5": + case "threat.file.hash.sha1": + case "ThreatFileHashSha1": + case "threat.file.hash.sha256": + case "ThreatFileHashSha256": + case "threat.file.hash.sha384": + case "ThreatFileHashSha384": + case "threat.file.hash.sha512": + case "ThreatFileHashSha512": + case "threat.file.hash.ssdeep": + case "ThreatFileHashSsdeep": + case "threat.file.hash.tlsh": + case "ThreatFileHashTlsh": + case "threat.file.pe.architecture": + case "ThreatFilePeArchitecture": + case "threat.file.pe.company": + case "ThreatFilePeCompany": + case "threat.file.pe.description": + case "ThreatFilePeDescription": + case "threat.file.pe.file_version": + case "ThreatFilePeFileVersion": + case "threat.file.pe.go_import_hash": + case "ThreatFilePeGoImportHash": + case "threat.file.pe.go_imports": + case "ThreatFilePeGoImports": + case "threat.file.pe.go_imports_names_entropy": + case "ThreatFilePeGoImportsNamesEntropy": + case "threat.file.pe.go_imports_names_var_entropy": + case "ThreatFilePeGoImportsNamesVarEntropy": + case "threat.file.pe.go_stripped": + case "ThreatFilePeGoStripped": + case "threat.file.pe.imphash": + case "ThreatFilePeImphash": + case "threat.file.pe.import_hash": + case "ThreatFilePeImportHash": + case "threat.file.pe.imports_names_entropy": + case "ThreatFilePeImportsNamesEntropy": + case "threat.file.pe.imports_names_var_entropy": + case "ThreatFilePeImportsNamesVarEntropy": + case "threat.file.pe.original_file_name": + case "ThreatFilePeOriginalFileName": + case "threat.file.pe.pehash": + case "ThreatFilePePehash": + case "threat.file.pe.product": + case "ThreatFilePeProduct": + case "threat.file.x509.issuer.distinguished_name": + case "ThreatFileX509IssuerDistinguishedName": + case "threat.file.x509.not_after": + case "ThreatFileX509NotAfter": + case "threat.file.x509.not_before": + case "ThreatFileX509NotBefore": + case "threat.file.x509.public_key_algorithm": + case "ThreatFileX509PublicKeyAlgorithm": + case "threat.file.x509.public_key_curve": + case "ThreatFileX509PublicKeyCurve": + case "threat.file.x509.public_key_exponent": + case "ThreatFileX509PublicKeyExponent": + case "threat.file.x509.public_key_size": + case "ThreatFileX509PublicKeySize": + case "threat.file.x509.serial_number": + case "ThreatFileX509SerialNumber": + case "threat.file.x509.signature_algorithm": + case "ThreatFileX509SignatureAlgorithm": + case "threat.file.x509.subject.distinguished_name": + case "ThreatFileX509SubjectDistinguishedName": + case "threat.file.x509.version_number": + case "ThreatFileX509VersionNumber": + case "threat.file.code_signature.digest_algorithm": + case "ThreatFileCodeSignatureDigestAlgorithm": + case "threat.file.code_signature.exists": + case "ThreatFileCodeSignatureExists": + case "threat.file.code_signature.signing_id": + case "ThreatFileCodeSignatureSigningId": + case "threat.file.code_signature.status": + case "ThreatFileCodeSignatureStatus": + case "threat.file.code_signature.subject_name": + case "ThreatFileCodeSignatureSubjectName": + case "threat.file.code_signature.team_id": + case "ThreatFileCodeSignatureTeamId": + case "threat.file.code_signature.timestamp": + case "ThreatFileCodeSignatureTimestamp": + case "threat.file.code_signature.trusted": + case "ThreatFileCodeSignatureTrusted": + case "threat.file.code_signature.valid": + case "ThreatFileCodeSignatureValid": + case "threat.file.elf.architecture": + case "ThreatFileElfArchitecture": + case "threat.file.elf.byte_order": + case "ThreatFileElfByteOrder": + case "threat.file.elf.cpu_type": + case "ThreatFileElfCpuType": + case "threat.file.elf.creation_date": + case "ThreatFileElfCreationDate": + case "threat.file.elf.go_import_hash": + case "ThreatFileElfGoImportHash": + case "threat.file.elf.go_imports": + case "ThreatFileElfGoImports": + case "threat.file.elf.go_imports_names_entropy": + case "ThreatFileElfGoImportsNamesEntropy": + case "threat.file.elf.go_imports_names_var_entropy": + case "ThreatFileElfGoImportsNamesVarEntropy": + case "threat.file.elf.go_stripped": + case "ThreatFileElfGoStripped": + case "threat.file.elf.header.abi_version": + case "ThreatFileElfHeaderAbiVersion": + case "threat.file.elf.header.class": + case "ThreatFileElfHeaderClass": + case "threat.file.elf.header.data": + case "ThreatFileElfHeaderData": + case "threat.file.elf.header.entrypoint": + case "ThreatFileElfHeaderEntrypoint": + case "threat.file.elf.header.object_version": + case "ThreatFileElfHeaderObjectVersion": + case "threat.file.elf.header.os_abi": + case "ThreatFileElfHeaderOsAbi": + case "threat.file.elf.header.type": + case "ThreatFileElfHeaderType": + case "threat.file.elf.header.version": + case "ThreatFileElfHeaderVersion": + case "threat.file.elf.import_hash": + case "ThreatFileElfImportHash": + case "threat.file.elf.imports_names_entropy": + case "ThreatFileElfImportsNamesEntropy": + case "threat.file.elf.imports_names_var_entropy": + case "ThreatFileElfImportsNamesVarEntropy": + case "threat.file.elf.telfhash": + case "ThreatFileElfTelfhash": + case "threat.file.macho.go_import_hash": + case "ThreatFileMachoGoImportHash": + case "threat.file.macho.go_imports": + case "ThreatFileMachoGoImports": + case "threat.file.macho.go_imports_names_entropy": + case "ThreatFileMachoGoImportsNamesEntropy": + case "threat.file.macho.go_imports_names_var_entropy": + case "ThreatFileMachoGoImportsNamesVarEntropy": + case "threat.file.macho.go_stripped": + case "ThreatFileMachoGoStripped": + case "threat.file.macho.import_hash": + case "ThreatFileMachoImportHash": + case "threat.file.macho.imports_names_entropy": + case "ThreatFileMachoImportsNamesEntropy": + case "threat.file.macho.imports_names_var_entropy": + case "ThreatFileMachoImportsNamesVarEntropy": + case "threat.file.macho.symhash": + case "ThreatFileMachoSymhash": + case "threat.geo.city_name": + case "ThreatGeoCityName": + case "threat.geo.continent_code": + case "ThreatGeoContinentCode": + case "threat.geo.continent_name": + case "ThreatGeoContinentName": + case "threat.geo.country_iso_code": + case "ThreatGeoCountryIsoCode": + case "threat.geo.country_name": + case "ThreatGeoCountryName": + case "threat.geo.name": + case "ThreatGeoName": + case "threat.geo.postal_code": + case "ThreatGeoPostalCode": + case "threat.geo.region_iso_code": + case "ThreatGeoRegionIsoCode": + case "threat.geo.region_name": + case "ThreatGeoRegionName": + case "threat.geo.timezone": + case "ThreatGeoTimezone": + case "threat.registry.data.bytes": + case "ThreatRegistryDataBytes": + case "threat.registry.data.type": + case "ThreatRegistryDataType": + case "threat.registry.hive": + case "ThreatRegistryHive": + case "threat.registry.key": + case "ThreatRegistryKey": + case "threat.registry.path": + case "ThreatRegistryPath": + case "threat.registry.value": + case "ThreatRegistryValue": + case "threat.url.domain": + case "ThreatUrlDomain": + case "threat.url.extension": + case "ThreatUrlExtension": + case "threat.url.fragment": + case "ThreatUrlFragment": + case "threat.url.full": + case "ThreatUrlFull": + case "threat.url.original": + case "ThreatUrlOriginal": + case "threat.url.password": + case "ThreatUrlPassword": + case "threat.url.path": + case "ThreatUrlPath": + case "threat.url.port": + case "ThreatUrlPort": + case "threat.url.query": + case "ThreatUrlQuery": + case "threat.url.registered_domain": + case "ThreatUrlRegisteredDomain": + case "threat.url.scheme": + case "ThreatUrlScheme": + case "threat.url.subdomain": + case "ThreatUrlSubdomain": + case "threat.url.top_level_domain": + case "ThreatUrlTopLevelDomain": + case "threat.url.username": + case "ThreatUrlUsername": return TrySetThreat(document, path, value); case "tls.cipher": case "TlsCipher": @@ -1570,6 +2910,28 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "TlsVersion": case "tls.version_protocol": case "TlsVersionProtocol": + case "tls.x509.issuer.distinguished_name": + case "TlsX509IssuerDistinguishedName": + case "tls.x509.not_after": + case "TlsX509NotAfter": + case "tls.x509.not_before": + case "TlsX509NotBefore": + case "tls.x509.public_key_algorithm": + case "TlsX509PublicKeyAlgorithm": + case "tls.x509.public_key_curve": + case "TlsX509PublicKeyCurve": + case "tls.x509.public_key_exponent": + case "TlsX509PublicKeyExponent": + case "tls.x509.public_key_size": + case "TlsX509PublicKeySize": + case "tls.x509.serial_number": + case "TlsX509SerialNumber": + case "tls.x509.signature_algorithm": + case "TlsX509SignatureAlgorithm": + case "tls.x509.subject.distinguished_name": + case "TlsX509SubjectDistinguishedName": + case "tls.x509.version_number": + case "TlsX509VersionNumber": return TrySetTls(document, path, value); case "url.domain": case "UrlDomain": @@ -1612,6 +2974,36 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "UserId": case "user.name": case "UserName": + case "user.group.domain": + case "UserGroupDomain": + case "user.group.id": + case "UserGroupId": + case "user.group.name": + case "UserGroupName": + case "user.risk.calculated_level": + case "UserRiskCalculatedLevel": + case "user.risk.calculated_score": + case "UserRiskCalculatedScore": + case "user.risk.calculated_score_norm": + case "UserRiskCalculatedScoreNorm": + case "user.risk.static_level": + case "UserRiskStaticLevel": + case "user.risk.static_score": + case "UserRiskStaticScore": + case "user.risk.static_score_norm": + case "UserRiskStaticScoreNorm": + case "user.user.domain": + case "UserUserDomain": + case "user.user.email": + case "UserUserEmail": + case "user.user.full_name": + case "UserUserFullName": + case "user.user.hash": + case "UserUserHash": + case "user.user.id": + case "UserUserId": + case "user.user.name": + case "UserUserName": return TrySetUser(document, path, value); case "user_agent.device.name": case "UserAgentDeviceName": @@ -1621,6 +3013,20 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "UserAgentOriginal": case "user_agent.version": case "UserAgentVersion": + case "user_agent.os.family": + case "UserAgentOsFamily": + case "user_agent.os.full": + case "UserAgentOsFull": + case "user_agent.os.kernel": + case "UserAgentOsKernel": + case "user_agent.os.name": + case "UserAgentOsName": + case "user_agent.os.platform": + case "UserAgentOsPlatform": + case "user_agent.os.type": + case "UserAgentOsType": + case "user_agent.os.version": + case "UserAgentOsVersion": return TrySetUserAgent(document, path, value); case "vlan.id": case "VlanId": @@ -1725,24 +3131,6 @@ public static bool TrySetAgent(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetAs(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "as.number" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), - "AsNumber" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), - "as.organization.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), - "AsOrganizationName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.As ?? new As(); - var assigned = assign(entity, value); - if (assigned) document.As = entity; - return assigned; - } - public static bool TrySetClient(EcsDocument document, string path, object value) { Func assign = path switch @@ -1771,6 +3159,72 @@ public static bool TrySetClient(EcsDocument document, string path, object value) "ClientSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "client.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "ClientTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "client.as.number" => static (e, v) => TrySetAs(e, "as.number", v), + "ClientAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), + "client.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "ClientAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "client.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "ClientGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "client.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "ClientGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "client.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "ClientGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "client.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "ClientGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "client.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "ClientGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "client.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), + "ClientGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), + "client.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "ClientGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "client.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "ClientGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "client.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "ClientGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "client.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "ClientGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "client.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), + "ClientUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), + "client.user.email" => static (e, v) => TrySetUser(e, "user.email", v), + "ClientUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), + "client.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), + "ClientUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), + "client.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), + "ClientUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), + "client.user.id" => static (e, v) => TrySetUser(e, "user.id", v), + "ClientUserId" => static (e, v) => TrySetUser(e, "user.id", v), + "client.user.name" => static (e, v) => TrySetUser(e, "user.name", v), + "ClientUserName" => static (e, v) => TrySetUser(e, "user.name", v), + "client.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "ClientUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "client.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), + "ClientUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), + "client.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), + "ClientUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), + "client.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "ClientUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "client.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "ClientUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "client.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "ClientUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "client.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "ClientUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "client.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "ClientUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "client.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "ClientUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "client.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "ClientUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "client.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), + "ClientUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), + "client.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "ClientUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "client.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "ClientUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "client.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), + "ClientUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), + "client.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), + "ClientUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), _ => null }; if (assign == null) return false; @@ -1807,6 +3261,28 @@ public static bool TrySetCloud(EcsDocument document, string path, object value) "CloudRegion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), "cloud.service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), + "cloud.cloud.account.id" => static (e, v) => TrySetCloudOrigin(e, "cloud.account.id", v), + "CloudCloudAccountId" => static (e, v) => TrySetCloudOrigin(e, "cloud.account.id", v), + "cloud.cloud.account.name" => static (e, v) => TrySetCloudOrigin(e, "cloud.account.name", v), + "CloudCloudAccountName" => static (e, v) => TrySetCloudOrigin(e, "cloud.account.name", v), + "cloud.cloud.availability_zone" => static (e, v) => TrySetCloudOrigin(e, "cloud.availability_zone", v), + "CloudCloudAvailabilityZone" => static (e, v) => TrySetCloudOrigin(e, "cloud.availability_zone", v), + "cloud.cloud.instance.id" => static (e, v) => TrySetCloudOrigin(e, "cloud.instance.id", v), + "CloudCloudInstanceId" => static (e, v) => TrySetCloudOrigin(e, "cloud.instance.id", v), + "cloud.cloud.instance.name" => static (e, v) => TrySetCloudOrigin(e, "cloud.instance.name", v), + "CloudCloudInstanceName" => static (e, v) => TrySetCloudOrigin(e, "cloud.instance.name", v), + "cloud.cloud.machine.type" => static (e, v) => TrySetCloudOrigin(e, "cloud.machine.type", v), + "CloudCloudMachineType" => static (e, v) => TrySetCloudOrigin(e, "cloud.machine.type", v), + "cloud.cloud.project.id" => static (e, v) => TrySetCloudOrigin(e, "cloud.project.id", v), + "CloudCloudProjectId" => static (e, v) => TrySetCloudOrigin(e, "cloud.project.id", v), + "cloud.cloud.project.name" => static (e, v) => TrySetCloudOrigin(e, "cloud.project.name", v), + "CloudCloudProjectName" => static (e, v) => TrySetCloudOrigin(e, "cloud.project.name", v), + "cloud.cloud.provider" => static (e, v) => TrySetCloudOrigin(e, "cloud.provider", v), + "CloudCloudProvider" => static (e, v) => TrySetCloudOrigin(e, "cloud.provider", v), + "cloud.cloud.region" => static (e, v) => TrySetCloudOrigin(e, "cloud.region", v), + "CloudCloudRegion" => static (e, v) => TrySetCloudOrigin(e, "cloud.region", v), + "cloud.cloud.service.name" => static (e, v) => TrySetCloudOrigin(e, "cloud.service.name", v), + "CloudCloudServiceName" => static (e, v) => TrySetCloudOrigin(e, "cloud.service.name", v), _ => null }; if (assign == null) return false; @@ -1817,38 +3293,6 @@ public static bool TrySetCloud(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetCodeSignature(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "code_signature.digest_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DigestAlgorithm = p), - "CodeSignatureDigestAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DigestAlgorithm = p), - "code_signature.exists" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Exists = p), - "CodeSignatureExists" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Exists = p), - "code_signature.signing_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SigningId = p), - "CodeSignatureSigningId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SigningId = p), - "code_signature.status" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Status = p), - "CodeSignatureStatus" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Status = p), - "code_signature.subject_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectName = p), - "CodeSignatureSubjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectName = p), - "code_signature.team_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TeamId = p), - "CodeSignatureTeamId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TeamId = p), - "code_signature.timestamp" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Timestamp = p), - "CodeSignatureTimestamp" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Timestamp = p), - "code_signature.trusted" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Trusted = p), - "CodeSignatureTrusted" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Trusted = p), - "code_signature.valid" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Valid = p), - "CodeSignatureValid" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Valid = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.CodeSignature ?? new CodeSignature(); - var assigned = assign(entity, value); - if (assigned) document.CodeSignature = entity; - return assigned; - } - public static bool TrySetContainer(EcsDocument document, string path, object value) { Func assign = path switch @@ -1933,6 +3377,72 @@ public static bool TrySetDestination(EcsDocument document, string path, object v "DestinationSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "destination.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "DestinationTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "destination.as.number" => static (e, v) => TrySetAs(e, "as.number", v), + "DestinationAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), + "destination.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "DestinationAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "destination.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "DestinationGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "destination.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "DestinationGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "destination.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "DestinationGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "destination.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "DestinationGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "destination.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "DestinationGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "destination.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), + "DestinationGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), + "destination.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "DestinationGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "destination.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "DestinationGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "destination.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "DestinationGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "destination.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "DestinationGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "destination.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), + "DestinationUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), + "destination.user.email" => static (e, v) => TrySetUser(e, "user.email", v), + "DestinationUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), + "destination.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), + "DestinationUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), + "destination.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), + "DestinationUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), + "destination.user.id" => static (e, v) => TrySetUser(e, "user.id", v), + "DestinationUserId" => static (e, v) => TrySetUser(e, "user.id", v), + "destination.user.name" => static (e, v) => TrySetUser(e, "user.name", v), + "DestinationUserName" => static (e, v) => TrySetUser(e, "user.name", v), + "destination.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "DestinationUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "destination.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), + "DestinationUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), + "destination.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), + "DestinationUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), + "destination.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "DestinationUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "destination.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "DestinationUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "destination.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "DestinationUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "destination.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "DestinationUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "destination.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "DestinationUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "destination.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "DestinationUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "destination.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "DestinationUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "destination.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), + "DestinationUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), + "destination.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "DestinationUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "destination.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "DestinationUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "destination.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), + "DestinationUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), + "destination.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), + "DestinationUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), _ => null }; if (assign == null) return false; @@ -1973,6 +3483,70 @@ public static bool TrySetDll(EcsDocument document, string path, object value) "DllName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "dll.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), "DllPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), + "dll.hash.md5" => static (e, v) => TrySetHash(e, "hash.md5", v), + "DllHashMd5" => static (e, v) => TrySetHash(e, "hash.md5", v), + "dll.hash.sha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), + "DllHashSha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), + "dll.hash.sha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), + "DllHashSha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), + "dll.hash.sha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), + "DllHashSha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), + "dll.hash.sha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), + "DllHashSha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), + "dll.hash.ssdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), + "DllHashSsdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), + "dll.hash.tlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), + "DllHashTlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), + "dll.pe.architecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), + "DllPeArchitecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), + "dll.pe.company" => static (e, v) => TrySetPe(e, "pe.company", v), + "DllPeCompany" => static (e, v) => TrySetPe(e, "pe.company", v), + "dll.pe.description" => static (e, v) => TrySetPe(e, "pe.description", v), + "DllPeDescription" => static (e, v) => TrySetPe(e, "pe.description", v), + "dll.pe.file_version" => static (e, v) => TrySetPe(e, "pe.file_version", v), + "DllPeFileVersion" => static (e, v) => TrySetPe(e, "pe.file_version", v), + "dll.pe.go_import_hash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), + "DllPeGoImportHash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), + "dll.pe.go_imports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), + "DllPeGoImports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), + "dll.pe.go_imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), + "DllPeGoImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), + "dll.pe.go_imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), + "DllPeGoImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), + "dll.pe.go_stripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), + "DllPeGoStripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), + "dll.pe.imphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), + "DllPeImphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), + "dll.pe.import_hash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), + "DllPeImportHash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), + "dll.pe.imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), + "DllPeImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), + "dll.pe.imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), + "DllPeImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), + "dll.pe.original_file_name" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), + "DllPeOriginalFileName" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), + "dll.pe.pehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), + "DllPePehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), + "dll.pe.product" => static (e, v) => TrySetPe(e, "pe.product", v), + "DllPeProduct" => static (e, v) => TrySetPe(e, "pe.product", v), + "dll.code_signature.digest_algorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), + "DllCodeSignatureDigestAlgorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), + "dll.code_signature.exists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), + "DllCodeSignatureExists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), + "dll.code_signature.signing_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), + "DllCodeSignatureSigningId" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), + "dll.code_signature.status" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), + "DllCodeSignatureStatus" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), + "dll.code_signature.subject_name" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), + "DllCodeSignatureSubjectName" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), + "dll.code_signature.team_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), + "DllCodeSignatureTeamId" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), + "dll.code_signature.timestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), + "DllCodeSignatureTimestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), + "dll.code_signature.trusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), + "DllCodeSignatureTrusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), + "dll.code_signature.valid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), + "DllCodeSignatureValid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), _ => null }; if (assign == null) return false; @@ -2033,62 +3607,6 @@ public static bool TrySetEcs(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetElf(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "elf.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "ElfArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "elf.byte_order" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ByteOrder = p), - "ElfByteOrder" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ByteOrder = p), - "elf.cpu_type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CpuType = p), - "ElfCpuType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CpuType = p), - "elf.creation_date" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.CreationDate = p), - "ElfCreationDate" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.CreationDate = p), - "elf.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "ElfGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "elf.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "ElfGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "elf.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "ElfGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "elf.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "ElfGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "elf.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "ElfGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "elf.header.abi_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderAbiVersion = p), - "ElfHeaderAbiVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderAbiVersion = p), - "elf.header.class" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderClass = p), - "ElfHeaderClass" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderClass = p), - "elf.header.data" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderData = p), - "ElfHeaderData" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderData = p), - "elf.header.entrypoint" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.HeaderEntrypoint = p), - "ElfHeaderEntrypoint" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.HeaderEntrypoint = p), - "elf.header.object_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderObjectVersion = p), - "ElfHeaderObjectVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderObjectVersion = p), - "elf.header.os_abi" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderOsAbi = p), - "ElfHeaderOsAbi" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderOsAbi = p), - "elf.header.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderType = p), - "ElfHeaderType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderType = p), - "elf.header.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderVersion = p), - "ElfHeaderVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderVersion = p), - "elf.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "ElfImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "elf.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "ElfImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "elf.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "ElfImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "elf.telfhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Telfhash = p), - "ElfTelfhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Telfhash = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Elf ?? new Elf(); - var assigned = assign(entity, value); - if (assigned) document.Elf = entity; - return assigned; - } - public static bool TrySetEmail(EcsDocument document, string path, object value) { Func assign = path switch @@ -2281,6 +3799,152 @@ public static bool TrySetFile(EcsDocument document, string path, object value) "FileType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "file.uid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), "FileUid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), + "file.hash.md5" => static (e, v) => TrySetHash(e, "hash.md5", v), + "FileHashMd5" => static (e, v) => TrySetHash(e, "hash.md5", v), + "file.hash.sha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), + "FileHashSha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), + "file.hash.sha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), + "FileHashSha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), + "file.hash.sha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), + "FileHashSha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), + "file.hash.sha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), + "FileHashSha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), + "file.hash.ssdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), + "FileHashSsdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), + "file.hash.tlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), + "FileHashTlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), + "file.pe.architecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), + "FilePeArchitecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), + "file.pe.company" => static (e, v) => TrySetPe(e, "pe.company", v), + "FilePeCompany" => static (e, v) => TrySetPe(e, "pe.company", v), + "file.pe.description" => static (e, v) => TrySetPe(e, "pe.description", v), + "FilePeDescription" => static (e, v) => TrySetPe(e, "pe.description", v), + "file.pe.file_version" => static (e, v) => TrySetPe(e, "pe.file_version", v), + "FilePeFileVersion" => static (e, v) => TrySetPe(e, "pe.file_version", v), + "file.pe.go_import_hash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), + "FilePeGoImportHash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), + "file.pe.go_imports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), + "FilePeGoImports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), + "file.pe.go_imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), + "FilePeGoImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), + "file.pe.go_imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), + "FilePeGoImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), + "file.pe.go_stripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), + "FilePeGoStripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), + "file.pe.imphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), + "FilePeImphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), + "file.pe.import_hash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), + "FilePeImportHash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), + "file.pe.imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), + "FilePeImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), + "file.pe.imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), + "FilePeImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), + "file.pe.original_file_name" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), + "FilePeOriginalFileName" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), + "file.pe.pehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), + "FilePePehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), + "file.pe.product" => static (e, v) => TrySetPe(e, "pe.product", v), + "FilePeProduct" => static (e, v) => TrySetPe(e, "pe.product", v), + "file.x509.issuer.distinguished_name" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), + "FileX509IssuerDistinguishedName" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), + "file.x509.not_after" => static (e, v) => TrySetX509(e, "x509.not_after", v), + "FileX509NotAfter" => static (e, v) => TrySetX509(e, "x509.not_after", v), + "file.x509.not_before" => static (e, v) => TrySetX509(e, "x509.not_before", v), + "FileX509NotBefore" => static (e, v) => TrySetX509(e, "x509.not_before", v), + "file.x509.public_key_algorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), + "FileX509PublicKeyAlgorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), + "file.x509.public_key_curve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), + "FileX509PublicKeyCurve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), + "file.x509.public_key_exponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), + "FileX509PublicKeyExponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), + "file.x509.public_key_size" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), + "FileX509PublicKeySize" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), + "file.x509.serial_number" => static (e, v) => TrySetX509(e, "x509.serial_number", v), + "FileX509SerialNumber" => static (e, v) => TrySetX509(e, "x509.serial_number", v), + "file.x509.signature_algorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), + "FileX509SignatureAlgorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), + "file.x509.subject.distinguished_name" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), + "FileX509SubjectDistinguishedName" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), + "file.x509.version_number" => static (e, v) => TrySetX509(e, "x509.version_number", v), + "FileX509VersionNumber" => static (e, v) => TrySetX509(e, "x509.version_number", v), + "file.code_signature.digest_algorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), + "FileCodeSignatureDigestAlgorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), + "file.code_signature.exists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), + "FileCodeSignatureExists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), + "file.code_signature.signing_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), + "FileCodeSignatureSigningId" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), + "file.code_signature.status" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), + "FileCodeSignatureStatus" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), + "file.code_signature.subject_name" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), + "FileCodeSignatureSubjectName" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), + "file.code_signature.team_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), + "FileCodeSignatureTeamId" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), + "file.code_signature.timestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), + "FileCodeSignatureTimestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), + "file.code_signature.trusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), + "FileCodeSignatureTrusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), + "file.code_signature.valid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), + "FileCodeSignatureValid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), + "file.elf.architecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), + "FileElfArchitecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), + "file.elf.byte_order" => static (e, v) => TrySetElf(e, "elf.byte_order", v), + "FileElfByteOrder" => static (e, v) => TrySetElf(e, "elf.byte_order", v), + "file.elf.cpu_type" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), + "FileElfCpuType" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), + "file.elf.creation_date" => static (e, v) => TrySetElf(e, "elf.creation_date", v), + "FileElfCreationDate" => static (e, v) => TrySetElf(e, "elf.creation_date", v), + "file.elf.go_import_hash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), + "FileElfGoImportHash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), + "file.elf.go_imports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), + "FileElfGoImports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), + "file.elf.go_imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), + "FileElfGoImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), + "file.elf.go_imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), + "FileElfGoImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), + "file.elf.go_stripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), + "FileElfGoStripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), + "file.elf.header.abi_version" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), + "FileElfHeaderAbiVersion" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), + "file.elf.header.class" => static (e, v) => TrySetElf(e, "elf.header.class", v), + "FileElfHeaderClass" => static (e, v) => TrySetElf(e, "elf.header.class", v), + "file.elf.header.data" => static (e, v) => TrySetElf(e, "elf.header.data", v), + "FileElfHeaderData" => static (e, v) => TrySetElf(e, "elf.header.data", v), + "file.elf.header.entrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), + "FileElfHeaderEntrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), + "file.elf.header.object_version" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), + "FileElfHeaderObjectVersion" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), + "file.elf.header.os_abi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), + "FileElfHeaderOsAbi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), + "file.elf.header.type" => static (e, v) => TrySetElf(e, "elf.header.type", v), + "FileElfHeaderType" => static (e, v) => TrySetElf(e, "elf.header.type", v), + "file.elf.header.version" => static (e, v) => TrySetElf(e, "elf.header.version", v), + "FileElfHeaderVersion" => static (e, v) => TrySetElf(e, "elf.header.version", v), + "file.elf.import_hash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), + "FileElfImportHash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), + "file.elf.imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), + "FileElfImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), + "file.elf.imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), + "FileElfImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), + "file.elf.telfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), + "FileElfTelfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), + "file.macho.go_import_hash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), + "FileMachoGoImportHash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), + "file.macho.go_imports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), + "FileMachoGoImports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), + "file.macho.go_imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), + "FileMachoGoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), + "file.macho.go_imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), + "FileMachoGoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), + "file.macho.go_stripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), + "FileMachoGoStripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), + "file.macho.import_hash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), + "FileMachoImportHash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), + "file.macho.imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), + "FileMachoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), + "file.macho.imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), + "FileMachoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), + "file.macho.symhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), + "FileMachoSymhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), _ => null }; if (assign == null) return false; @@ -2291,88 +3955,6 @@ public static bool TrySetFile(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetGeo(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "geo.city_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), - "GeoCityName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), - "geo.continent_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), - "GeoContinentCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), - "geo.continent_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), - "GeoContinentName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), - "geo.country_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), - "GeoCountryIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), - "geo.country_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), - "GeoCountryName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), - "geo.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "GeoName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "geo.postal_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), - "GeoPostalCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), - "geo.region_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), - "GeoRegionIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), - "geo.region_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), - "GeoRegionName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), - "geo.timezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), - "GeoTimezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Geo ?? new Geo(); - var assigned = assign(entity, value); - if (assigned) document.Geo = entity; - return assigned; - } - - public static bool TrySetGroup(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Group ?? new Group(); - var assigned = assign(entity, value); - if (assigned) document.Group = entity; - return assigned; - } - - public static bool TrySetHash(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "hash.md5" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Md5 = p), - "HashMd5" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Md5 = p), - "hash.sha1" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha1 = p), - "HashSha1" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha1 = p), - "hash.sha256" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha256 = p), - "HashSha256" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha256 = p), - "hash.sha384" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha384 = p), - "HashSha384" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha384 = p), - "hash.sha512" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha512 = p), - "HashSha512" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha512 = p), - "hash.ssdeep" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ssdeep = p), - "HashSsdeep" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ssdeep = p), - "hash.tlsh" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Tlsh = p), - "HashTlsh" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Tlsh = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Hash ?? new Hash(); - var assigned = assign(entity, value); - if (assigned) document.Hash = entity; - return assigned; - } - public static bool TrySetHost(EcsDocument document, string path, object value) { Func assign = path switch @@ -2409,6 +3991,52 @@ public static bool TrySetHost(EcsDocument document, string path, object value) "HostType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "host.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), "HostUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "host.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "HostGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "host.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "HostGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "host.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "HostGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "host.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "HostGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "host.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "HostGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "host.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), + "HostGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), + "host.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "HostGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "host.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "HostGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "host.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "HostGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "host.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "HostGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "host.os.family" => static (e, v) => TrySetOs(e, "os.family", v), + "HostOsFamily" => static (e, v) => TrySetOs(e, "os.family", v), + "host.os.full" => static (e, v) => TrySetOs(e, "os.full", v), + "HostOsFull" => static (e, v) => TrySetOs(e, "os.full", v), + "host.os.kernel" => static (e, v) => TrySetOs(e, "os.kernel", v), + "HostOsKernel" => static (e, v) => TrySetOs(e, "os.kernel", v), + "host.os.name" => static (e, v) => TrySetOs(e, "os.name", v), + "HostOsName" => static (e, v) => TrySetOs(e, "os.name", v), + "host.os.platform" => static (e, v) => TrySetOs(e, "os.platform", v), + "HostOsPlatform" => static (e, v) => TrySetOs(e, "os.platform", v), + "host.os.type" => static (e, v) => TrySetOs(e, "os.type", v), + "HostOsType" => static (e, v) => TrySetOs(e, "os.type", v), + "host.os.version" => static (e, v) => TrySetOs(e, "os.version", v), + "HostOsVersion" => static (e, v) => TrySetOs(e, "os.version", v), + "host.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "HostRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "host.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "HostRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "host.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "HostRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "host.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "HostRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "host.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "HostRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "host.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "HostRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), _ => null }; if (assign == null) return false; @@ -2505,38 +4133,6 @@ public static bool TrySetLog(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetMacho(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "macho.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "MachoGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "macho.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "MachoGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "macho.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "MachoGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "macho.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "MachoGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "macho.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "MachoGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "macho.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "MachoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "macho.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "MachoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "macho.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "MachoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "macho.symhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Symhash = p), - "MachoSymhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Symhash = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Macho ?? new Macho(); - var assigned = assign(entity, value); - if (assigned) document.Macho = entity; - return assigned; - } - public static bool TrySetNetwork(EcsDocument document, string path, object value) { Func assign = path switch @@ -2563,6 +4159,10 @@ public static bool TrySetNetwork(EcsDocument document, string path, object value "NetworkTransport" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Transport = p), "network.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "NetworkType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "network.vlan.id" => static (e, v) => TrySetVlan(e, "vlan.id", v), + "NetworkVlanId" => static (e, v) => TrySetVlan(e, "vlan.id", v), + "network.vlan.name" => static (e, v) => TrySetVlan(e, "vlan.name", v), + "NetworkVlanName" => static (e, v) => TrySetVlan(e, "vlan.name", v), _ => null }; if (assign == null) return false; @@ -2591,6 +4191,40 @@ public static bool TrySetObserver(EcsDocument document, string path, object valu "ObserverVendor" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Vendor = p), "observer.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "ObserverVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "observer.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "ObserverGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "observer.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "ObserverGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "observer.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "ObserverGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "observer.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "ObserverGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "observer.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "ObserverGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "observer.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), + "ObserverGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), + "observer.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "ObserverGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "observer.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "ObserverGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "observer.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "ObserverGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "observer.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "ObserverGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "observer.os.family" => static (e, v) => TrySetOs(e, "os.family", v), + "ObserverOsFamily" => static (e, v) => TrySetOs(e, "os.family", v), + "observer.os.full" => static (e, v) => TrySetOs(e, "os.full", v), + "ObserverOsFull" => static (e, v) => TrySetOs(e, "os.full", v), + "observer.os.kernel" => static (e, v) => TrySetOs(e, "os.kernel", v), + "ObserverOsKernel" => static (e, v) => TrySetOs(e, "os.kernel", v), + "observer.os.name" => static (e, v) => TrySetOs(e, "os.name", v), + "ObserverOsName" => static (e, v) => TrySetOs(e, "os.name", v), + "observer.os.platform" => static (e, v) => TrySetOs(e, "os.platform", v), + "ObserverOsPlatform" => static (e, v) => TrySetOs(e, "os.platform", v), + "observer.os.type" => static (e, v) => TrySetOs(e, "os.type", v), + "ObserverOsType" => static (e, v) => TrySetOs(e, "os.type", v), + "observer.os.version" => static (e, v) => TrySetOs(e, "os.version", v), + "ObserverOsVersion" => static (e, v) => TrySetOs(e, "os.version", v), _ => null }; if (assign == null) return false; @@ -2657,34 +4291,6 @@ public static bool TrySetOrganization(EcsDocument document, string path, object return assigned; } - public static bool TrySetOs(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "os.family" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Family = p), - "OsFamily" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Family = p), - "os.full" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), - "OsFull" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), - "os.kernel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Kernel = p), - "OsKernel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Kernel = p), - "os.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "OsName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "os.platform" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Platform = p), - "OsPlatform" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Platform = p), - "os.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "OsType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "os.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "OsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Os ?? new Os(); - var assigned = assign(entity, value); - if (assigned) document.Os = entity; - return assigned; - } - public static bool TrySetPackage(EcsDocument document, string path, object value) { Func assign = path switch @@ -2725,55 +4331,9 @@ public static bool TrySetPackage(EcsDocument document, string path, object value return assigned; } - public static bool TrySetPe(EcsDocument document, string path, object value) + public static bool TrySetProcess(EcsDocument document, string path, object value) { - Func assign = path switch - { - "pe.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "PeArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "pe.company" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Company = p), - "PeCompany" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Company = p), - "pe.description" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Description = p), - "PeDescription" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Description = p), - "pe.file_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FileVersion = p), - "PeFileVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FileVersion = p), - "pe.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "PeGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "pe.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "PeGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "pe.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "PeGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "pe.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "PeGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "pe.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "PeGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "pe.imphash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Imphash = p), - "PeImphash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Imphash = p), - "pe.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "PeImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "pe.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "PeImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "pe.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "PeImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "pe.original_file_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginalFileName = p), - "PeOriginalFileName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginalFileName = p), - "pe.pehash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Pehash = p), - "PePehash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Pehash = p), - "pe.product" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Product = p), - "PeProduct" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Product = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Pe ?? new Pe(); - var assigned = assign(entity, value); - if (assigned) document.Pe = entity; - return assigned; - } - - public static bool TrySetProcess(EcsDocument document, string path, object value) - { - Func assign = path switch + Func assign = path switch { "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), @@ -2809,6 +4369,472 @@ public static bool TrySetProcess(EcsDocument document, string path, object value "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "process.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "ProcessGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "process.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), + "ProcessGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), + "process.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), + "ProcessGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), + "process.hash.md5" => static (e, v) => TrySetHash(e, "hash.md5", v), + "ProcessHashMd5" => static (e, v) => TrySetHash(e, "hash.md5", v), + "process.hash.sha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), + "ProcessHashSha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), + "process.hash.sha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), + "ProcessHashSha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), + "process.hash.sha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), + "ProcessHashSha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), + "process.hash.sha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), + "ProcessHashSha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), + "process.hash.ssdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), + "ProcessHashSsdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), + "process.hash.tlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), + "ProcessHashTlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), + "process.pe.architecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), + "ProcessPeArchitecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), + "process.pe.company" => static (e, v) => TrySetPe(e, "pe.company", v), + "ProcessPeCompany" => static (e, v) => TrySetPe(e, "pe.company", v), + "process.pe.description" => static (e, v) => TrySetPe(e, "pe.description", v), + "ProcessPeDescription" => static (e, v) => TrySetPe(e, "pe.description", v), + "process.pe.file_version" => static (e, v) => TrySetPe(e, "pe.file_version", v), + "ProcessPeFileVersion" => static (e, v) => TrySetPe(e, "pe.file_version", v), + "process.pe.go_import_hash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), + "ProcessPeGoImportHash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), + "process.pe.go_imports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), + "ProcessPeGoImports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), + "process.pe.go_imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), + "ProcessPeGoImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), + "process.pe.go_imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), + "ProcessPeGoImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), + "process.pe.go_stripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), + "ProcessPeGoStripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), + "process.pe.imphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), + "ProcessPeImphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), + "process.pe.import_hash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), + "ProcessPeImportHash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), + "process.pe.imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), + "ProcessPeImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), + "process.pe.imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), + "ProcessPeImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), + "process.pe.original_file_name" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), + "ProcessPeOriginalFileName" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), + "process.pe.pehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), + "ProcessPePehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), + "process.pe.product" => static (e, v) => TrySetPe(e, "pe.product", v), + "ProcessPeProduct" => static (e, v) => TrySetPe(e, "pe.product", v), + "process.code_signature.digest_algorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), + "ProcessCodeSignatureDigestAlgorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), + "process.code_signature.exists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), + "ProcessCodeSignatureExists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), + "process.code_signature.signing_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), + "ProcessCodeSignatureSigningId" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), + "process.code_signature.status" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), + "ProcessCodeSignatureStatus" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), + "process.code_signature.subject_name" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), + "ProcessCodeSignatureSubjectName" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), + "process.code_signature.team_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), + "ProcessCodeSignatureTeamId" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), + "process.code_signature.timestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), + "ProcessCodeSignatureTimestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), + "process.code_signature.trusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), + "ProcessCodeSignatureTrusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), + "process.code_signature.valid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), + "ProcessCodeSignatureValid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), + "process.elf.architecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), + "ProcessElfArchitecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), + "process.elf.byte_order" => static (e, v) => TrySetElf(e, "elf.byte_order", v), + "ProcessElfByteOrder" => static (e, v) => TrySetElf(e, "elf.byte_order", v), + "process.elf.cpu_type" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), + "ProcessElfCpuType" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), + "process.elf.creation_date" => static (e, v) => TrySetElf(e, "elf.creation_date", v), + "ProcessElfCreationDate" => static (e, v) => TrySetElf(e, "elf.creation_date", v), + "process.elf.go_import_hash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), + "ProcessElfGoImportHash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), + "process.elf.go_imports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), + "ProcessElfGoImports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), + "process.elf.go_imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), + "ProcessElfGoImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), + "process.elf.go_imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), + "ProcessElfGoImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), + "process.elf.go_stripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), + "ProcessElfGoStripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), + "process.elf.header.abi_version" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), + "ProcessElfHeaderAbiVersion" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), + "process.elf.header.class" => static (e, v) => TrySetElf(e, "elf.header.class", v), + "ProcessElfHeaderClass" => static (e, v) => TrySetElf(e, "elf.header.class", v), + "process.elf.header.data" => static (e, v) => TrySetElf(e, "elf.header.data", v), + "ProcessElfHeaderData" => static (e, v) => TrySetElf(e, "elf.header.data", v), + "process.elf.header.entrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), + "ProcessElfHeaderEntrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), + "process.elf.header.object_version" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), + "ProcessElfHeaderObjectVersion" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), + "process.elf.header.os_abi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), + "ProcessElfHeaderOsAbi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), + "process.elf.header.type" => static (e, v) => TrySetElf(e, "elf.header.type", v), + "ProcessElfHeaderType" => static (e, v) => TrySetElf(e, "elf.header.type", v), + "process.elf.header.version" => static (e, v) => TrySetElf(e, "elf.header.version", v), + "ProcessElfHeaderVersion" => static (e, v) => TrySetElf(e, "elf.header.version", v), + "process.elf.import_hash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), + "ProcessElfImportHash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), + "process.elf.imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), + "ProcessElfImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), + "process.elf.imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), + "ProcessElfImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), + "process.elf.telfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), + "ProcessElfTelfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), + "process.macho.go_import_hash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), + "ProcessMachoGoImportHash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), + "process.macho.go_imports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), + "ProcessMachoGoImports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), + "process.macho.go_imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), + "ProcessMachoGoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), + "process.macho.go_imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), + "ProcessMachoGoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), + "process.macho.go_stripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), + "ProcessMachoGoStripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), + "process.macho.import_hash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), + "ProcessMachoImportHash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), + "process.macho.imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), + "ProcessMachoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), + "process.macho.imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), + "ProcessMachoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), + "process.macho.symhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), + "ProcessMachoSymhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), + "process.source.address" => static (e, v) => TrySetSource(e, "source.address", v), + "ProcessSourceAddress" => static (e, v) => TrySetSource(e, "source.address", v), + "process.source.bytes" => static (e, v) => TrySetSource(e, "source.bytes", v), + "ProcessSourceBytes" => static (e, v) => TrySetSource(e, "source.bytes", v), + "process.source.domain" => static (e, v) => TrySetSource(e, "source.domain", v), + "ProcessSourceDomain" => static (e, v) => TrySetSource(e, "source.domain", v), + "process.source.ip" => static (e, v) => TrySetSource(e, "source.ip", v), + "ProcessSourceIp" => static (e, v) => TrySetSource(e, "source.ip", v), + "process.source.mac" => static (e, v) => TrySetSource(e, "source.mac", v), + "ProcessSourceMac" => static (e, v) => TrySetSource(e, "source.mac", v), + "process.source.nat.ip" => static (e, v) => TrySetSource(e, "source.nat.ip", v), + "ProcessSourceNatIp" => static (e, v) => TrySetSource(e, "source.nat.ip", v), + "process.source.nat.port" => static (e, v) => TrySetSource(e, "source.nat.port", v), + "ProcessSourceNatPort" => static (e, v) => TrySetSource(e, "source.nat.port", v), + "process.source.packets" => static (e, v) => TrySetSource(e, "source.packets", v), + "ProcessSourcePackets" => static (e, v) => TrySetSource(e, "source.packets", v), + "process.source.port" => static (e, v) => TrySetSource(e, "source.port", v), + "ProcessSourcePort" => static (e, v) => TrySetSource(e, "source.port", v), + "process.source.registered_domain" => static (e, v) => TrySetSource(e, "source.registered_domain", v), + "ProcessSourceRegisteredDomain" => static (e, v) => TrySetSource(e, "source.registered_domain", v), + "process.source.subdomain" => static (e, v) => TrySetSource(e, "source.subdomain", v), + "ProcessSourceSubdomain" => static (e, v) => TrySetSource(e, "source.subdomain", v), + "process.source.top_level_domain" => static (e, v) => TrySetSource(e, "source.top_level_domain", v), + "ProcessSourceTopLevelDomain" => static (e, v) => TrySetSource(e, "source.top_level_domain", v), + "process.source.as.number" => static (e, v) => TrySetSource(e, "source.as.number", v), + "ProcessSourceAsNumber" => static (e, v) => TrySetSource(e, "source.as.number", v), + "process.source.as.organization.name" => static (e, v) => TrySetSource(e, "source.as.organization.name", v), + "ProcessSourceAsOrganizationName" => static (e, v) => TrySetSource(e, "source.as.organization.name", v), + "process.source.geo.city_name" => static (e, v) => TrySetSource(e, "source.geo.city_name", v), + "ProcessSourceGeoCityName" => static (e, v) => TrySetSource(e, "source.geo.city_name", v), + "process.source.geo.continent_code" => static (e, v) => TrySetSource(e, "source.geo.continent_code", v), + "ProcessSourceGeoContinentCode" => static (e, v) => TrySetSource(e, "source.geo.continent_code", v), + "process.source.geo.continent_name" => static (e, v) => TrySetSource(e, "source.geo.continent_name", v), + "ProcessSourceGeoContinentName" => static (e, v) => TrySetSource(e, "source.geo.continent_name", v), + "process.source.geo.country_iso_code" => static (e, v) => TrySetSource(e, "source.geo.country_iso_code", v), + "ProcessSourceGeoCountryIsoCode" => static (e, v) => TrySetSource(e, "source.geo.country_iso_code", v), + "process.source.geo.country_name" => static (e, v) => TrySetSource(e, "source.geo.country_name", v), + "ProcessSourceGeoCountryName" => static (e, v) => TrySetSource(e, "source.geo.country_name", v), + "process.source.geo.name" => static (e, v) => TrySetSource(e, "source.geo.name", v), + "ProcessSourceGeoName" => static (e, v) => TrySetSource(e, "source.geo.name", v), + "process.source.geo.postal_code" => static (e, v) => TrySetSource(e, "source.geo.postal_code", v), + "ProcessSourceGeoPostalCode" => static (e, v) => TrySetSource(e, "source.geo.postal_code", v), + "process.source.geo.region_iso_code" => static (e, v) => TrySetSource(e, "source.geo.region_iso_code", v), + "ProcessSourceGeoRegionIsoCode" => static (e, v) => TrySetSource(e, "source.geo.region_iso_code", v), + "process.source.geo.region_name" => static (e, v) => TrySetSource(e, "source.geo.region_name", v), + "ProcessSourceGeoRegionName" => static (e, v) => TrySetSource(e, "source.geo.region_name", v), + "process.source.geo.timezone" => static (e, v) => TrySetSource(e, "source.geo.timezone", v), + "ProcessSourceGeoTimezone" => static (e, v) => TrySetSource(e, "source.geo.timezone", v), + "process.source.user.domain" => static (e, v) => TrySetSource(e, "source.user.domain", v), + "ProcessSourceUserDomain" => static (e, v) => TrySetSource(e, "source.user.domain", v), + "process.source.user.email" => static (e, v) => TrySetSource(e, "source.user.email", v), + "ProcessSourceUserEmail" => static (e, v) => TrySetSource(e, "source.user.email", v), + "process.source.user.full_name" => static (e, v) => TrySetSource(e, "source.user.full_name", v), + "ProcessSourceUserFullName" => static (e, v) => TrySetSource(e, "source.user.full_name", v), + "process.source.user.hash" => static (e, v) => TrySetSource(e, "source.user.hash", v), + "ProcessSourceUserHash" => static (e, v) => TrySetSource(e, "source.user.hash", v), + "process.source.user.id" => static (e, v) => TrySetSource(e, "source.user.id", v), + "ProcessSourceUserId" => static (e, v) => TrySetSource(e, "source.user.id", v), + "process.source.user.name" => static (e, v) => TrySetSource(e, "source.user.name", v), + "ProcessSourceUserName" => static (e, v) => TrySetSource(e, "source.user.name", v), + "process.source.user.group.domain" => static (e, v) => TrySetSource(e, "source.user.group.domain", v), + "ProcessSourceUserGroupDomain" => static (e, v) => TrySetSource(e, "source.user.group.domain", v), + "process.source.user.group.id" => static (e, v) => TrySetSource(e, "source.user.group.id", v), + "ProcessSourceUserGroupId" => static (e, v) => TrySetSource(e, "source.user.group.id", v), + "process.source.user.group.name" => static (e, v) => TrySetSource(e, "source.user.group.name", v), + "ProcessSourceUserGroupName" => static (e, v) => TrySetSource(e, "source.user.group.name", v), + "process.source.user.risk.calculated_level" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_level", v), + "ProcessSourceUserRiskCalculatedLevel" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_level", v), + "process.source.user.risk.calculated_score" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_score", v), + "ProcessSourceUserRiskCalculatedScore" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_score", v), + "process.source.user.risk.calculated_score_norm" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_score_norm", v), + "ProcessSourceUserRiskCalculatedScoreNorm" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_score_norm", v), + "process.source.user.risk.static_level" => static (e, v) => TrySetSource(e, "source.user.risk.static_level", v), + "ProcessSourceUserRiskStaticLevel" => static (e, v) => TrySetSource(e, "source.user.risk.static_level", v), + "process.source.user.risk.static_score" => static (e, v) => TrySetSource(e, "source.user.risk.static_score", v), + "ProcessSourceUserRiskStaticScore" => static (e, v) => TrySetSource(e, "source.user.risk.static_score", v), + "process.source.user.risk.static_score_norm" => static (e, v) => TrySetSource(e, "source.user.risk.static_score_norm", v), + "ProcessSourceUserRiskStaticScoreNorm" => static (e, v) => TrySetSource(e, "source.user.risk.static_score_norm", v), + "process.source.user.user.domain" => static (e, v) => TrySetSource(e, "source.user.user.domain", v), + "ProcessSourceUserUserDomain" => static (e, v) => TrySetSource(e, "source.user.user.domain", v), + "process.source.user.user.email" => static (e, v) => TrySetSource(e, "source.user.user.email", v), + "ProcessSourceUserUserEmail" => static (e, v) => TrySetSource(e, "source.user.user.email", v), + "process.source.user.user.full_name" => static (e, v) => TrySetSource(e, "source.user.user.full_name", v), + "ProcessSourceUserUserFullName" => static (e, v) => TrySetSource(e, "source.user.user.full_name", v), + "process.source.user.user.hash" => static (e, v) => TrySetSource(e, "source.user.user.hash", v), + "ProcessSourceUserUserHash" => static (e, v) => TrySetSource(e, "source.user.user.hash", v), + "process.source.user.user.id" => static (e, v) => TrySetSource(e, "source.user.user.id", v), + "ProcessSourceUserUserId" => static (e, v) => TrySetSource(e, "source.user.user.id", v), + "process.source.user.user.name" => static (e, v) => TrySetSource(e, "source.user.user.name", v), + "ProcessSourceUserUserName" => static (e, v) => TrySetSource(e, "source.user.user.name", v), + "process.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), + "ProcessUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), + "process.user.email" => static (e, v) => TrySetUser(e, "user.email", v), + "ProcessUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), + "process.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), + "ProcessUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), + "process.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), + "ProcessUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), + "process.user.id" => static (e, v) => TrySetUser(e, "user.id", v), + "ProcessUserId" => static (e, v) => TrySetUser(e, "user.id", v), + "process.user.name" => static (e, v) => TrySetUser(e, "user.name", v), + "ProcessUserName" => static (e, v) => TrySetUser(e, "user.name", v), + "process.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "ProcessUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "process.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), + "ProcessUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), + "process.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), + "ProcessUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), + "process.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "ProcessUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "process.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "ProcessUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "process.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "ProcessUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "process.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "ProcessUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "process.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "ProcessUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "process.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "ProcessUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "process.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "ProcessUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "process.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), + "ProcessUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), + "process.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "ProcessUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "process.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "ProcessUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "process.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), + "ProcessUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), + "process.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), + "ProcessUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), + "process.process.args_count" => static (e, v) => TrySetProcessParent(e, "process.args_count", v), + "ProcessProcessArgsCount" => static (e, v) => TrySetProcessParent(e, "process.args_count", v), + "process.process.command_line" => static (e, v) => TrySetProcessParent(e, "process.command_line", v), + "ProcessProcessCommandLine" => static (e, v) => TrySetProcessParent(e, "process.command_line", v), + "process.process.end" => static (e, v) => TrySetProcessParent(e, "process.end", v), + "ProcessProcessEnd" => static (e, v) => TrySetProcessParent(e, "process.end", v), + "process.process.entity_id" => static (e, v) => TrySetProcessParent(e, "process.entity_id", v), + "ProcessProcessEntityId" => static (e, v) => TrySetProcessParent(e, "process.entity_id", v), + "process.process.executable" => static (e, v) => TrySetProcessParent(e, "process.executable", v), + "ProcessProcessExecutable" => static (e, v) => TrySetProcessParent(e, "process.executable", v), + "process.process.exit_code" => static (e, v) => TrySetProcessParent(e, "process.exit_code", v), + "ProcessProcessExitCode" => static (e, v) => TrySetProcessParent(e, "process.exit_code", v), + "process.process.interactive" => static (e, v) => TrySetProcessParent(e, "process.interactive", v), + "ProcessProcessInteractive" => static (e, v) => TrySetProcessParent(e, "process.interactive", v), + "process.process.name" => static (e, v) => TrySetProcessParent(e, "process.name", v), + "ProcessProcessName" => static (e, v) => TrySetProcessParent(e, "process.name", v), + "process.process.pgid" => static (e, v) => TrySetProcessParent(e, "process.pgid", v), + "ProcessProcessPgid" => static (e, v) => TrySetProcessParent(e, "process.pgid", v), + "process.process.pid" => static (e, v) => TrySetProcessParent(e, "process.pid", v), + "ProcessProcessPid" => static (e, v) => TrySetProcessParent(e, "process.pid", v), + "process.process.start" => static (e, v) => TrySetProcessParent(e, "process.start", v), + "ProcessProcessStart" => static (e, v) => TrySetProcessParent(e, "process.start", v), + "process.process.thread.id" => static (e, v) => TrySetProcessParent(e, "process.thread.id", v), + "ProcessProcessThreadId" => static (e, v) => TrySetProcessParent(e, "process.thread.id", v), + "process.process.thread.name" => static (e, v) => TrySetProcessParent(e, "process.thread.name", v), + "ProcessProcessThreadName" => static (e, v) => TrySetProcessParent(e, "process.thread.name", v), + "process.process.title" => static (e, v) => TrySetProcessParent(e, "process.title", v), + "ProcessProcessTitle" => static (e, v) => TrySetProcessParent(e, "process.title", v), + "process.process.uptime" => static (e, v) => TrySetProcessParent(e, "process.uptime", v), + "ProcessProcessUptime" => static (e, v) => TrySetProcessParent(e, "process.uptime", v), + "process.process.vpid" => static (e, v) => TrySetProcessParent(e, "process.vpid", v), + "ProcessProcessVpid" => static (e, v) => TrySetProcessParent(e, "process.vpid", v), + "process.process.working_directory" => static (e, v) => TrySetProcessParent(e, "process.working_directory", v), + "ProcessProcessWorkingDirectory" => static (e, v) => TrySetProcessParent(e, "process.working_directory", v), + "process.process.parent.process.args_count" => static (e, v) => TrySetProcessParent(e, "process.parent.process.args_count", v), + "ProcessProcessParentProcessArgsCount" => static (e, v) => TrySetProcessParent(e, "process.parent.process.args_count", v), + "process.process.parent.process.command_line" => static (e, v) => TrySetProcessParent(e, "process.parent.process.command_line", v), + "ProcessProcessParentProcessCommandLine" => static (e, v) => TrySetProcessParent(e, "process.parent.process.command_line", v), + "process.process.parent.process.end" => static (e, v) => TrySetProcessParent(e, "process.parent.process.end", v), + "ProcessProcessParentProcessEnd" => static (e, v) => TrySetProcessParent(e, "process.parent.process.end", v), + "process.process.parent.process.entity_id" => static (e, v) => TrySetProcessParent(e, "process.parent.process.entity_id", v), + "ProcessProcessParentProcessEntityId" => static (e, v) => TrySetProcessParent(e, "process.parent.process.entity_id", v), + "process.process.parent.process.executable" => static (e, v) => TrySetProcessParent(e, "process.parent.process.executable", v), + "ProcessProcessParentProcessExecutable" => static (e, v) => TrySetProcessParent(e, "process.parent.process.executable", v), + "process.process.parent.process.exit_code" => static (e, v) => TrySetProcessParent(e, "process.parent.process.exit_code", v), + "ProcessProcessParentProcessExitCode" => static (e, v) => TrySetProcessParent(e, "process.parent.process.exit_code", v), + "process.process.parent.process.interactive" => static (e, v) => TrySetProcessParent(e, "process.parent.process.interactive", v), + "ProcessProcessParentProcessInteractive" => static (e, v) => TrySetProcessParent(e, "process.parent.process.interactive", v), + "process.process.parent.process.name" => static (e, v) => TrySetProcessParent(e, "process.parent.process.name", v), + "ProcessProcessParentProcessName" => static (e, v) => TrySetProcessParent(e, "process.parent.process.name", v), + "process.process.parent.process.pgid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.pgid", v), + "ProcessProcessParentProcessPgid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.pgid", v), + "process.process.parent.process.pid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.pid", v), + "ProcessProcessParentProcessPid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.pid", v), + "process.process.parent.process.start" => static (e, v) => TrySetProcessParent(e, "process.parent.process.start", v), + "ProcessProcessParentProcessStart" => static (e, v) => TrySetProcessParent(e, "process.parent.process.start", v), + "process.process.parent.process.thread.id" => static (e, v) => TrySetProcessParent(e, "process.parent.process.thread.id", v), + "ProcessProcessParentProcessThreadId" => static (e, v) => TrySetProcessParent(e, "process.parent.process.thread.id", v), + "process.process.parent.process.thread.name" => static (e, v) => TrySetProcessParent(e, "process.parent.process.thread.name", v), + "ProcessProcessParentProcessThreadName" => static (e, v) => TrySetProcessParent(e, "process.parent.process.thread.name", v), + "process.process.parent.process.title" => static (e, v) => TrySetProcessParent(e, "process.parent.process.title", v), + "ProcessProcessParentProcessTitle" => static (e, v) => TrySetProcessParent(e, "process.parent.process.title", v), + "process.process.parent.process.uptime" => static (e, v) => TrySetProcessParent(e, "process.parent.process.uptime", v), + "ProcessProcessParentProcessUptime" => static (e, v) => TrySetProcessParent(e, "process.parent.process.uptime", v), + "process.process.parent.process.vpid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.vpid", v), + "ProcessProcessParentProcessVpid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.vpid", v), + "process.process.parent.process.working_directory" => static (e, v) => TrySetProcessParent(e, "process.parent.process.working_directory", v), + "ProcessProcessParentProcessWorkingDirectory" => static (e, v) => TrySetProcessParent(e, "process.parent.process.working_directory", v), + "process.process.entry_leader.process.args_count" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.args_count", v), + "ProcessProcessEntryLeaderProcessArgsCount" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.args_count", v), + "process.process.entry_leader.process.command_line" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.command_line", v), + "ProcessProcessEntryLeaderProcessCommandLine" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.command_line", v), + "process.process.entry_leader.process.end" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.end", v), + "ProcessProcessEntryLeaderProcessEnd" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.end", v), + "process.process.entry_leader.process.entity_id" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entity_id", v), + "ProcessProcessEntryLeaderProcessEntityId" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entity_id", v), + "process.process.entry_leader.process.executable" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.executable", v), + "ProcessProcessEntryLeaderProcessExecutable" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.executable", v), + "process.process.entry_leader.process.exit_code" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.exit_code", v), + "ProcessProcessEntryLeaderProcessExitCode" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.exit_code", v), + "process.process.entry_leader.process.interactive" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.interactive", v), + "ProcessProcessEntryLeaderProcessInteractive" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.interactive", v), + "process.process.entry_leader.process.name" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.name", v), + "ProcessProcessEntryLeaderProcessName" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.name", v), + "process.process.entry_leader.process.pgid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.pgid", v), + "ProcessProcessEntryLeaderProcessPgid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.pgid", v), + "process.process.entry_leader.process.pid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.pid", v), + "ProcessProcessEntryLeaderProcessPid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.pid", v), + "process.process.entry_leader.process.start" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.start", v), + "ProcessProcessEntryLeaderProcessStart" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.start", v), + "process.process.entry_leader.process.thread.id" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.thread.id", v), + "ProcessProcessEntryLeaderProcessThreadId" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.thread.id", v), + "process.process.entry_leader.process.thread.name" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.thread.name", v), + "ProcessProcessEntryLeaderProcessThreadName" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.thread.name", v), + "process.process.entry_leader.process.title" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.title", v), + "ProcessProcessEntryLeaderProcessTitle" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.title", v), + "process.process.entry_leader.process.uptime" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.uptime", v), + "ProcessProcessEntryLeaderProcessUptime" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.uptime", v), + "process.process.entry_leader.process.vpid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.vpid", v), + "ProcessProcessEntryLeaderProcessVpid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.vpid", v), + "process.process.entry_leader.process.working_directory" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.working_directory", v), + "ProcessProcessEntryLeaderProcessWorkingDirectory" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.working_directory", v), + "process.process.entry_leader.process.entry_leader.parent.process.args_count" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.args_count", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.args_count", v), + "process.process.entry_leader.process.entry_leader.parent.process.command_line" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.command_line", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.command_line", v), + "process.process.entry_leader.process.entry_leader.parent.process.end" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.end", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.end", v), + "process.process.entry_leader.process.entry_leader.parent.process.entity_id" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.entity_id", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.entity_id", v), + "process.process.entry_leader.process.entry_leader.parent.process.executable" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.executable", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.executable", v), + "process.process.entry_leader.process.entry_leader.parent.process.exit_code" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.exit_code", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.exit_code", v), + "process.process.entry_leader.process.entry_leader.parent.process.interactive" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.interactive", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.interactive", v), + "process.process.entry_leader.process.entry_leader.parent.process.name" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.name", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.name", v), + "process.process.entry_leader.process.entry_leader.parent.process.pgid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.pgid", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.pgid", v), + "process.process.entry_leader.process.entry_leader.parent.process.pid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.pid", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.pid", v), + "process.process.entry_leader.process.entry_leader.parent.process.start" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.start", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.start", v), + "process.process.entry_leader.process.entry_leader.parent.process.thread.id" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.thread.id", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.thread.id", v), + "process.process.entry_leader.process.entry_leader.parent.process.thread.name" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.thread.name", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.thread.name", v), + "process.process.entry_leader.process.entry_leader.parent.process.title" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.title", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.title", v), + "process.process.entry_leader.process.entry_leader.parent.process.uptime" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.uptime", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.uptime", v), + "process.process.entry_leader.process.entry_leader.parent.process.vpid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.vpid", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.vpid", v), + "process.process.entry_leader.process.entry_leader.parent.process.working_directory" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.working_directory", v), + "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.working_directory", v), + "process.process.session_leader.process.args_count" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.args_count", v), + "ProcessProcessSessionLeaderProcessArgsCount" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.args_count", v), + "process.process.session_leader.process.command_line" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.command_line", v), + "ProcessProcessSessionLeaderProcessCommandLine" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.command_line", v), + "process.process.session_leader.process.end" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.end", v), + "ProcessProcessSessionLeaderProcessEnd" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.end", v), + "process.process.session_leader.process.entity_id" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.entity_id", v), + "ProcessProcessSessionLeaderProcessEntityId" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.entity_id", v), + "process.process.session_leader.process.executable" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.executable", v), + "ProcessProcessSessionLeaderProcessExecutable" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.executable", v), + "process.process.session_leader.process.exit_code" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.exit_code", v), + "ProcessProcessSessionLeaderProcessExitCode" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.exit_code", v), + "process.process.session_leader.process.interactive" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.interactive", v), + "ProcessProcessSessionLeaderProcessInteractive" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.interactive", v), + "process.process.session_leader.process.name" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.name", v), + "ProcessProcessSessionLeaderProcessName" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.name", v), + "process.process.session_leader.process.pgid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.pgid", v), + "ProcessProcessSessionLeaderProcessPgid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.pgid", v), + "process.process.session_leader.process.pid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.pid", v), + "ProcessProcessSessionLeaderProcessPid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.pid", v), + "process.process.session_leader.process.start" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.start", v), + "ProcessProcessSessionLeaderProcessStart" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.start", v), + "process.process.session_leader.process.thread.id" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.thread.id", v), + "ProcessProcessSessionLeaderProcessThreadId" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.thread.id", v), + "process.process.session_leader.process.thread.name" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.thread.name", v), + "ProcessProcessSessionLeaderProcessThreadName" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.thread.name", v), + "process.process.session_leader.process.title" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.title", v), + "ProcessProcessSessionLeaderProcessTitle" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.title", v), + "process.process.session_leader.process.uptime" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.uptime", v), + "ProcessProcessSessionLeaderProcessUptime" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.uptime", v), + "process.process.session_leader.process.vpid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.vpid", v), + "ProcessProcessSessionLeaderProcessVpid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.vpid", v), + "process.process.session_leader.process.working_directory" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.working_directory", v), + "ProcessProcessSessionLeaderProcessWorkingDirectory" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.working_directory", v), + "process.process.session_leader.process.session_leader.parent.process.args_count" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.args_count", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.args_count", v), + "process.process.session_leader.process.session_leader.parent.process.command_line" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.command_line", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.command_line", v), + "process.process.session_leader.process.session_leader.parent.process.end" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.end", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.end", v), + "process.process.session_leader.process.session_leader.parent.process.entity_id" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.entity_id", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.entity_id", v), + "process.process.session_leader.process.session_leader.parent.process.executable" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.executable", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.executable", v), + "process.process.session_leader.process.session_leader.parent.process.exit_code" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.exit_code", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.exit_code", v), + "process.process.session_leader.process.session_leader.parent.process.interactive" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.interactive", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.interactive", v), + "process.process.session_leader.process.session_leader.parent.process.name" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.name", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.name", v), + "process.process.session_leader.process.session_leader.parent.process.pgid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.pgid", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.pgid", v), + "process.process.session_leader.process.session_leader.parent.process.pid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.pid", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.pid", v), + "process.process.session_leader.process.session_leader.parent.process.start" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.start", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.start", v), + "process.process.session_leader.process.session_leader.parent.process.thread.id" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.thread.id", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.thread.id", v), + "process.process.session_leader.process.session_leader.parent.process.thread.name" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.thread.name", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.thread.name", v), + "process.process.session_leader.process.session_leader.parent.process.title" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.title", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.title", v), + "process.process.session_leader.process.session_leader.parent.process.uptime" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.uptime", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.uptime", v), + "process.process.session_leader.process.session_leader.parent.process.vpid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.vpid", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.vpid", v), + "process.process.session_leader.process.session_leader.parent.process.working_directory" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.working_directory", v), + "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.working_directory", v), _ => null }; if (assign == null) return false; @@ -2859,32 +4885,6 @@ public static bool TrySetRelated(EcsDocument document, string path, object value return assigned; } - public static bool TrySetRisk(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "risk.calculated_level" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CalculatedLevel = p), - "RiskCalculatedLevel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CalculatedLevel = p), - "risk.calculated_score" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScore = p), - "RiskCalculatedScore" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScore = p), - "risk.calculated_score_norm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScoreNorm = p), - "RiskCalculatedScoreNorm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScoreNorm = p), - "risk.static_level" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.StaticLevel = p), - "RiskStaticLevel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.StaticLevel = p), - "risk.static_score" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScore = p), - "RiskStaticScore" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScore = p), - "risk.static_score_norm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScoreNorm = p), - "RiskStaticScoreNorm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScoreNorm = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Risk ?? new Risk(); - var assigned = assign(entity, value); - if (assigned) document.Risk = entity; - return assigned; - } - public static bool TrySetRule(EcsDocument document, string path, object value) { Func assign = path switch @@ -2945,6 +4945,72 @@ public static bool TrySetServer(EcsDocument document, string path, object value) "ServerSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "server.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "ServerTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "server.as.number" => static (e, v) => TrySetAs(e, "as.number", v), + "ServerAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), + "server.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "ServerAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "server.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "ServerGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "server.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "ServerGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "server.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "ServerGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "server.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "ServerGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "server.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "ServerGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "server.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), + "ServerGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), + "server.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "ServerGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "server.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "ServerGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "server.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "ServerGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "server.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "ServerGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "server.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), + "ServerUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), + "server.user.email" => static (e, v) => TrySetUser(e, "user.email", v), + "ServerUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), + "server.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), + "ServerUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), + "server.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), + "ServerUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), + "server.user.id" => static (e, v) => TrySetUser(e, "user.id", v), + "ServerUserId" => static (e, v) => TrySetUser(e, "user.id", v), + "server.user.name" => static (e, v) => TrySetUser(e, "user.name", v), + "ServerUserName" => static (e, v) => TrySetUser(e, "user.name", v), + "server.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "ServerUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "server.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), + "ServerUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), + "server.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), + "ServerUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), + "server.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "ServerUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "server.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "ServerUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "server.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "ServerUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "server.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "ServerUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "server.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "ServerUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "server.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "ServerUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "server.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "ServerUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "server.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), + "ServerUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), + "server.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "ServerUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "server.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "ServerUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "server.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), + "ServerUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), + "server.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), + "ServerUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), _ => null }; if (assign == null) return false; @@ -2979,6 +5045,26 @@ public static bool TrySetService(EcsDocument document, string path, object value "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "service.origin.address" => static (e, v) => TrySetService(e, "service.address", v), + "ServiceServiceAddress" => static (e, v) => TrySetServiceOrigin(e, "service.address", v), + "service.service.environment" => static (e, v) => TrySetServiceOrigin(e, "service.environment", v), + "ServiceServiceEnvironment" => static (e, v) => TrySetServiceOrigin(e, "service.environment", v), + "service.service.ephemeral_id" => static (e, v) => TrySetServiceOrigin(e, "service.ephemeral_id", v), + "ServiceServiceEphemeralId" => static (e, v) => TrySetServiceOrigin(e, "service.ephemeral_id", v), + "service.service.id" => static (e, v) => TrySetServiceOrigin(e, "service.id", v), + "ServiceServiceId" => static (e, v) => TrySetServiceOrigin(e, "service.id", v), + "service.service.name" => static (e, v) => TrySetServiceOrigin(e, "service.name", v), + "ServiceServiceName" => static (e, v) => TrySetServiceOrigin(e, "service.name", v), + "service.service.node.name" => static (e, v) => TrySetServiceOrigin(e, "service.node.name", v), + "ServiceServiceNodeName" => static (e, v) => TrySetServiceOrigin(e, "service.node.name", v), + "service.service.node.role" => static (e, v) => TrySetServiceOrigin(e, "service.node.role", v), + "ServiceServiceNodeRole" => static (e, v) => TrySetServiceOrigin(e, "service.node.role", v), + "service.service.state" => static (e, v) => TrySetServiceOrigin(e, "service.state", v), + "ServiceServiceState" => static (e, v) => TrySetServiceOrigin(e, "service.state", v), + "service.service.type" => static (e, v) => TrySetServiceOrigin(e, "service.type", v), + "ServiceServiceType" => static (e, v) => TrySetServiceOrigin(e, "service.type", v), + "service.service.version" => static (e, v) => TrySetServiceOrigin(e, "service.version", v), + "ServiceServiceVersion" => static (e, v) => TrySetServiceOrigin(e, "service.version", v), _ => null }; if (assign == null) return false; @@ -3017,6 +5103,72 @@ public static bool TrySetSource(EcsDocument document, string path, object value) "SourceSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "source.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "SourceTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "source.as.number" => static (e, v) => TrySetAs(e, "as.number", v), + "SourceAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), + "source.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "SourceAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "source.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "SourceGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "source.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "SourceGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "source.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "SourceGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "source.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "SourceGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "source.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "SourceGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "source.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), + "SourceGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), + "source.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "SourceGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "source.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "SourceGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "source.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "SourceGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "source.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "SourceGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "source.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), + "SourceUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), + "source.user.email" => static (e, v) => TrySetUser(e, "user.email", v), + "SourceUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), + "source.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), + "SourceUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), + "source.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), + "SourceUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), + "source.user.id" => static (e, v) => TrySetUser(e, "user.id", v), + "SourceUserId" => static (e, v) => TrySetUser(e, "user.id", v), + "source.user.name" => static (e, v) => TrySetUser(e, "user.name", v), + "SourceUserName" => static (e, v) => TrySetUser(e, "user.name", v), + "source.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "SourceUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "source.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), + "SourceUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), + "source.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), + "SourceUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), + "source.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "SourceUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "source.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "SourceUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "source.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "SourceUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "source.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "SourceUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "source.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "SourceUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "source.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "SourceUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "source.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "SourceUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "source.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), + "SourceUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), + "source.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "SourceUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "source.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "SourceUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "source.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), + "SourceUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), + "source.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), + "SourceUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), _ => null }; if (assign == null) return false; @@ -3087,6 +5239,280 @@ public static bool TrySetThreat(EcsDocument document, string path, object value) "ThreatSoftwareReference" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareReference = p), "threat.software.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareType = p), "ThreatSoftwareType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareType = p), + "threat.x509.issuer.distinguished_name" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), + "ThreatX509IssuerDistinguishedName" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), + "threat.x509.not_after" => static (e, v) => TrySetX509(e, "x509.not_after", v), + "ThreatX509NotAfter" => static (e, v) => TrySetX509(e, "x509.not_after", v), + "threat.x509.not_before" => static (e, v) => TrySetX509(e, "x509.not_before", v), + "ThreatX509NotBefore" => static (e, v) => TrySetX509(e, "x509.not_before", v), + "threat.x509.public_key_algorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), + "ThreatX509PublicKeyAlgorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), + "threat.x509.public_key_curve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), + "ThreatX509PublicKeyCurve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), + "threat.x509.public_key_exponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), + "ThreatX509PublicKeyExponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), + "threat.x509.public_key_size" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), + "ThreatX509PublicKeySize" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), + "threat.x509.serial_number" => static (e, v) => TrySetX509(e, "x509.serial_number", v), + "ThreatX509SerialNumber" => static (e, v) => TrySetX509(e, "x509.serial_number", v), + "threat.x509.signature_algorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), + "ThreatX509SignatureAlgorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), + "threat.x509.subject.distinguished_name" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), + "ThreatX509SubjectDistinguishedName" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), + "threat.x509.version_number" => static (e, v) => TrySetX509(e, "x509.version_number", v), + "ThreatX509VersionNumber" => static (e, v) => TrySetX509(e, "x509.version_number", v), + "threat.as.number" => static (e, v) => TrySetAs(e, "as.number", v), + "ThreatAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), + "threat.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "ThreatAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "threat.file.accessed" => static (e, v) => TrySetFile(e, "file.accessed", v), + "ThreatFileAccessed" => static (e, v) => TrySetFile(e, "file.accessed", v), + "threat.file.created" => static (e, v) => TrySetFile(e, "file.created", v), + "ThreatFileCreated" => static (e, v) => TrySetFile(e, "file.created", v), + "threat.file.ctime" => static (e, v) => TrySetFile(e, "file.ctime", v), + "ThreatFileCtime" => static (e, v) => TrySetFile(e, "file.ctime", v), + "threat.file.device" => static (e, v) => TrySetFile(e, "file.device", v), + "ThreatFileDevice" => static (e, v) => TrySetFile(e, "file.device", v), + "threat.file.directory" => static (e, v) => TrySetFile(e, "file.directory", v), + "ThreatFileDirectory" => static (e, v) => TrySetFile(e, "file.directory", v), + "threat.file.drive_letter" => static (e, v) => TrySetFile(e, "file.drive_letter", v), + "ThreatFileDriveLetter" => static (e, v) => TrySetFile(e, "file.drive_letter", v), + "threat.file.extension" => static (e, v) => TrySetFile(e, "file.extension", v), + "ThreatFileExtension" => static (e, v) => TrySetFile(e, "file.extension", v), + "threat.file.fork_name" => static (e, v) => TrySetFile(e, "file.fork_name", v), + "ThreatFileForkName" => static (e, v) => TrySetFile(e, "file.fork_name", v), + "threat.file.gid" => static (e, v) => TrySetFile(e, "file.gid", v), + "ThreatFileGid" => static (e, v) => TrySetFile(e, "file.gid", v), + "threat.file.group" => static (e, v) => TrySetFile(e, "file.group", v), + "ThreatFileGroup" => static (e, v) => TrySetFile(e, "file.group", v), + "threat.file.inode" => static (e, v) => TrySetFile(e, "file.inode", v), + "ThreatFileInode" => static (e, v) => TrySetFile(e, "file.inode", v), + "threat.file.mime_type" => static (e, v) => TrySetFile(e, "file.mime_type", v), + "ThreatFileMimeType" => static (e, v) => TrySetFile(e, "file.mime_type", v), + "threat.file.mode" => static (e, v) => TrySetFile(e, "file.mode", v), + "ThreatFileMode" => static (e, v) => TrySetFile(e, "file.mode", v), + "threat.file.mtime" => static (e, v) => TrySetFile(e, "file.mtime", v), + "ThreatFileMtime" => static (e, v) => TrySetFile(e, "file.mtime", v), + "threat.file.name" => static (e, v) => TrySetFile(e, "file.name", v), + "ThreatFileName" => static (e, v) => TrySetFile(e, "file.name", v), + "threat.file.owner" => static (e, v) => TrySetFile(e, "file.owner", v), + "ThreatFileOwner" => static (e, v) => TrySetFile(e, "file.owner", v), + "threat.file.path" => static (e, v) => TrySetFile(e, "file.path", v), + "ThreatFilePath" => static (e, v) => TrySetFile(e, "file.path", v), + "threat.file.size" => static (e, v) => TrySetFile(e, "file.size", v), + "ThreatFileSize" => static (e, v) => TrySetFile(e, "file.size", v), + "threat.file.target_path" => static (e, v) => TrySetFile(e, "file.target_path", v), + "ThreatFileTargetPath" => static (e, v) => TrySetFile(e, "file.target_path", v), + "threat.file.type" => static (e, v) => TrySetFile(e, "file.type", v), + "ThreatFileType" => static (e, v) => TrySetFile(e, "file.type", v), + "threat.file.uid" => static (e, v) => TrySetFile(e, "file.uid", v), + "ThreatFileUid" => static (e, v) => TrySetFile(e, "file.uid", v), + "threat.file.hash.md5" => static (e, v) => TrySetFile(e, "file.hash.md5", v), + "ThreatFileHashMd5" => static (e, v) => TrySetFile(e, "file.hash.md5", v), + "threat.file.hash.sha1" => static (e, v) => TrySetFile(e, "file.hash.sha1", v), + "ThreatFileHashSha1" => static (e, v) => TrySetFile(e, "file.hash.sha1", v), + "threat.file.hash.sha256" => static (e, v) => TrySetFile(e, "file.hash.sha256", v), + "ThreatFileHashSha256" => static (e, v) => TrySetFile(e, "file.hash.sha256", v), + "threat.file.hash.sha384" => static (e, v) => TrySetFile(e, "file.hash.sha384", v), + "ThreatFileHashSha384" => static (e, v) => TrySetFile(e, "file.hash.sha384", v), + "threat.file.hash.sha512" => static (e, v) => TrySetFile(e, "file.hash.sha512", v), + "ThreatFileHashSha512" => static (e, v) => TrySetFile(e, "file.hash.sha512", v), + "threat.file.hash.ssdeep" => static (e, v) => TrySetFile(e, "file.hash.ssdeep", v), + "ThreatFileHashSsdeep" => static (e, v) => TrySetFile(e, "file.hash.ssdeep", v), + "threat.file.hash.tlsh" => static (e, v) => TrySetFile(e, "file.hash.tlsh", v), + "ThreatFileHashTlsh" => static (e, v) => TrySetFile(e, "file.hash.tlsh", v), + "threat.file.pe.architecture" => static (e, v) => TrySetFile(e, "file.pe.architecture", v), + "ThreatFilePeArchitecture" => static (e, v) => TrySetFile(e, "file.pe.architecture", v), + "threat.file.pe.company" => static (e, v) => TrySetFile(e, "file.pe.company", v), + "ThreatFilePeCompany" => static (e, v) => TrySetFile(e, "file.pe.company", v), + "threat.file.pe.description" => static (e, v) => TrySetFile(e, "file.pe.description", v), + "ThreatFilePeDescription" => static (e, v) => TrySetFile(e, "file.pe.description", v), + "threat.file.pe.file_version" => static (e, v) => TrySetFile(e, "file.pe.file_version", v), + "ThreatFilePeFileVersion" => static (e, v) => TrySetFile(e, "file.pe.file_version", v), + "threat.file.pe.go_import_hash" => static (e, v) => TrySetFile(e, "file.pe.go_import_hash", v), + "ThreatFilePeGoImportHash" => static (e, v) => TrySetFile(e, "file.pe.go_import_hash", v), + "threat.file.pe.go_imports" => static (e, v) => TrySetFile(e, "file.pe.go_imports", v), + "ThreatFilePeGoImports" => static (e, v) => TrySetFile(e, "file.pe.go_imports", v), + "threat.file.pe.go_imports_names_entropy" => static (e, v) => TrySetFile(e, "file.pe.go_imports_names_entropy", v), + "ThreatFilePeGoImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.pe.go_imports_names_entropy", v), + "threat.file.pe.go_imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.pe.go_imports_names_var_entropy", v), + "ThreatFilePeGoImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.pe.go_imports_names_var_entropy", v), + "threat.file.pe.go_stripped" => static (e, v) => TrySetFile(e, "file.pe.go_stripped", v), + "ThreatFilePeGoStripped" => static (e, v) => TrySetFile(e, "file.pe.go_stripped", v), + "threat.file.pe.imphash" => static (e, v) => TrySetFile(e, "file.pe.imphash", v), + "ThreatFilePeImphash" => static (e, v) => TrySetFile(e, "file.pe.imphash", v), + "threat.file.pe.import_hash" => static (e, v) => TrySetFile(e, "file.pe.import_hash", v), + "ThreatFilePeImportHash" => static (e, v) => TrySetFile(e, "file.pe.import_hash", v), + "threat.file.pe.imports_names_entropy" => static (e, v) => TrySetFile(e, "file.pe.imports_names_entropy", v), + "ThreatFilePeImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.pe.imports_names_entropy", v), + "threat.file.pe.imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.pe.imports_names_var_entropy", v), + "ThreatFilePeImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.pe.imports_names_var_entropy", v), + "threat.file.pe.original_file_name" => static (e, v) => TrySetFile(e, "file.pe.original_file_name", v), + "ThreatFilePeOriginalFileName" => static (e, v) => TrySetFile(e, "file.pe.original_file_name", v), + "threat.file.pe.pehash" => static (e, v) => TrySetFile(e, "file.pe.pehash", v), + "ThreatFilePePehash" => static (e, v) => TrySetFile(e, "file.pe.pehash", v), + "threat.file.pe.product" => static (e, v) => TrySetFile(e, "file.pe.product", v), + "ThreatFilePeProduct" => static (e, v) => TrySetFile(e, "file.pe.product", v), + "threat.file.x509.issuer.distinguished_name" => static (e, v) => TrySetFile(e, "file.x509.issuer.distinguished_name", v), + "ThreatFileX509IssuerDistinguishedName" => static (e, v) => TrySetFile(e, "file.x509.issuer.distinguished_name", v), + "threat.file.x509.not_after" => static (e, v) => TrySetFile(e, "file.x509.not_after", v), + "ThreatFileX509NotAfter" => static (e, v) => TrySetFile(e, "file.x509.not_after", v), + "threat.file.x509.not_before" => static (e, v) => TrySetFile(e, "file.x509.not_before", v), + "ThreatFileX509NotBefore" => static (e, v) => TrySetFile(e, "file.x509.not_before", v), + "threat.file.x509.public_key_algorithm" => static (e, v) => TrySetFile(e, "file.x509.public_key_algorithm", v), + "ThreatFileX509PublicKeyAlgorithm" => static (e, v) => TrySetFile(e, "file.x509.public_key_algorithm", v), + "threat.file.x509.public_key_curve" => static (e, v) => TrySetFile(e, "file.x509.public_key_curve", v), + "ThreatFileX509PublicKeyCurve" => static (e, v) => TrySetFile(e, "file.x509.public_key_curve", v), + "threat.file.x509.public_key_exponent" => static (e, v) => TrySetFile(e, "file.x509.public_key_exponent", v), + "ThreatFileX509PublicKeyExponent" => static (e, v) => TrySetFile(e, "file.x509.public_key_exponent", v), + "threat.file.x509.public_key_size" => static (e, v) => TrySetFile(e, "file.x509.public_key_size", v), + "ThreatFileX509PublicKeySize" => static (e, v) => TrySetFile(e, "file.x509.public_key_size", v), + "threat.file.x509.serial_number" => static (e, v) => TrySetFile(e, "file.x509.serial_number", v), + "ThreatFileX509SerialNumber" => static (e, v) => TrySetFile(e, "file.x509.serial_number", v), + "threat.file.x509.signature_algorithm" => static (e, v) => TrySetFile(e, "file.x509.signature_algorithm", v), + "ThreatFileX509SignatureAlgorithm" => static (e, v) => TrySetFile(e, "file.x509.signature_algorithm", v), + "threat.file.x509.subject.distinguished_name" => static (e, v) => TrySetFile(e, "file.x509.subject.distinguished_name", v), + "ThreatFileX509SubjectDistinguishedName" => static (e, v) => TrySetFile(e, "file.x509.subject.distinguished_name", v), + "threat.file.x509.version_number" => static (e, v) => TrySetFile(e, "file.x509.version_number", v), + "ThreatFileX509VersionNumber" => static (e, v) => TrySetFile(e, "file.x509.version_number", v), + "threat.file.code_signature.digest_algorithm" => static (e, v) => TrySetFile(e, "file.code_signature.digest_algorithm", v), + "ThreatFileCodeSignatureDigestAlgorithm" => static (e, v) => TrySetFile(e, "file.code_signature.digest_algorithm", v), + "threat.file.code_signature.exists" => static (e, v) => TrySetFile(e, "file.code_signature.exists", v), + "ThreatFileCodeSignatureExists" => static (e, v) => TrySetFile(e, "file.code_signature.exists", v), + "threat.file.code_signature.signing_id" => static (e, v) => TrySetFile(e, "file.code_signature.signing_id", v), + "ThreatFileCodeSignatureSigningId" => static (e, v) => TrySetFile(e, "file.code_signature.signing_id", v), + "threat.file.code_signature.status" => static (e, v) => TrySetFile(e, "file.code_signature.status", v), + "ThreatFileCodeSignatureStatus" => static (e, v) => TrySetFile(e, "file.code_signature.status", v), + "threat.file.code_signature.subject_name" => static (e, v) => TrySetFile(e, "file.code_signature.subject_name", v), + "ThreatFileCodeSignatureSubjectName" => static (e, v) => TrySetFile(e, "file.code_signature.subject_name", v), + "threat.file.code_signature.team_id" => static (e, v) => TrySetFile(e, "file.code_signature.team_id", v), + "ThreatFileCodeSignatureTeamId" => static (e, v) => TrySetFile(e, "file.code_signature.team_id", v), + "threat.file.code_signature.timestamp" => static (e, v) => TrySetFile(e, "file.code_signature.timestamp", v), + "ThreatFileCodeSignatureTimestamp" => static (e, v) => TrySetFile(e, "file.code_signature.timestamp", v), + "threat.file.code_signature.trusted" => static (e, v) => TrySetFile(e, "file.code_signature.trusted", v), + "ThreatFileCodeSignatureTrusted" => static (e, v) => TrySetFile(e, "file.code_signature.trusted", v), + "threat.file.code_signature.valid" => static (e, v) => TrySetFile(e, "file.code_signature.valid", v), + "ThreatFileCodeSignatureValid" => static (e, v) => TrySetFile(e, "file.code_signature.valid", v), + "threat.file.elf.architecture" => static (e, v) => TrySetFile(e, "file.elf.architecture", v), + "ThreatFileElfArchitecture" => static (e, v) => TrySetFile(e, "file.elf.architecture", v), + "threat.file.elf.byte_order" => static (e, v) => TrySetFile(e, "file.elf.byte_order", v), + "ThreatFileElfByteOrder" => static (e, v) => TrySetFile(e, "file.elf.byte_order", v), + "threat.file.elf.cpu_type" => static (e, v) => TrySetFile(e, "file.elf.cpu_type", v), + "ThreatFileElfCpuType" => static (e, v) => TrySetFile(e, "file.elf.cpu_type", v), + "threat.file.elf.creation_date" => static (e, v) => TrySetFile(e, "file.elf.creation_date", v), + "ThreatFileElfCreationDate" => static (e, v) => TrySetFile(e, "file.elf.creation_date", v), + "threat.file.elf.go_import_hash" => static (e, v) => TrySetFile(e, "file.elf.go_import_hash", v), + "ThreatFileElfGoImportHash" => static (e, v) => TrySetFile(e, "file.elf.go_import_hash", v), + "threat.file.elf.go_imports" => static (e, v) => TrySetFile(e, "file.elf.go_imports", v), + "ThreatFileElfGoImports" => static (e, v) => TrySetFile(e, "file.elf.go_imports", v), + "threat.file.elf.go_imports_names_entropy" => static (e, v) => TrySetFile(e, "file.elf.go_imports_names_entropy", v), + "ThreatFileElfGoImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.elf.go_imports_names_entropy", v), + "threat.file.elf.go_imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.elf.go_imports_names_var_entropy", v), + "ThreatFileElfGoImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.elf.go_imports_names_var_entropy", v), + "threat.file.elf.go_stripped" => static (e, v) => TrySetFile(e, "file.elf.go_stripped", v), + "ThreatFileElfGoStripped" => static (e, v) => TrySetFile(e, "file.elf.go_stripped", v), + "threat.file.elf.header.abi_version" => static (e, v) => TrySetFile(e, "file.elf.header.abi_version", v), + "ThreatFileElfHeaderAbiVersion" => static (e, v) => TrySetFile(e, "file.elf.header.abi_version", v), + "threat.file.elf.header.class" => static (e, v) => TrySetFile(e, "file.elf.header.class", v), + "ThreatFileElfHeaderClass" => static (e, v) => TrySetFile(e, "file.elf.header.class", v), + "threat.file.elf.header.data" => static (e, v) => TrySetFile(e, "file.elf.header.data", v), + "ThreatFileElfHeaderData" => static (e, v) => TrySetFile(e, "file.elf.header.data", v), + "threat.file.elf.header.entrypoint" => static (e, v) => TrySetFile(e, "file.elf.header.entrypoint", v), + "ThreatFileElfHeaderEntrypoint" => static (e, v) => TrySetFile(e, "file.elf.header.entrypoint", v), + "threat.file.elf.header.object_version" => static (e, v) => TrySetFile(e, "file.elf.header.object_version", v), + "ThreatFileElfHeaderObjectVersion" => static (e, v) => TrySetFile(e, "file.elf.header.object_version", v), + "threat.file.elf.header.os_abi" => static (e, v) => TrySetFile(e, "file.elf.header.os_abi", v), + "ThreatFileElfHeaderOsAbi" => static (e, v) => TrySetFile(e, "file.elf.header.os_abi", v), + "threat.file.elf.header.type" => static (e, v) => TrySetFile(e, "file.elf.header.type", v), + "ThreatFileElfHeaderType" => static (e, v) => TrySetFile(e, "file.elf.header.type", v), + "threat.file.elf.header.version" => static (e, v) => TrySetFile(e, "file.elf.header.version", v), + "ThreatFileElfHeaderVersion" => static (e, v) => TrySetFile(e, "file.elf.header.version", v), + "threat.file.elf.import_hash" => static (e, v) => TrySetFile(e, "file.elf.import_hash", v), + "ThreatFileElfImportHash" => static (e, v) => TrySetFile(e, "file.elf.import_hash", v), + "threat.file.elf.imports_names_entropy" => static (e, v) => TrySetFile(e, "file.elf.imports_names_entropy", v), + "ThreatFileElfImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.elf.imports_names_entropy", v), + "threat.file.elf.imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.elf.imports_names_var_entropy", v), + "ThreatFileElfImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.elf.imports_names_var_entropy", v), + "threat.file.elf.telfhash" => static (e, v) => TrySetFile(e, "file.elf.telfhash", v), + "ThreatFileElfTelfhash" => static (e, v) => TrySetFile(e, "file.elf.telfhash", v), + "threat.file.macho.go_import_hash" => static (e, v) => TrySetFile(e, "file.macho.go_import_hash", v), + "ThreatFileMachoGoImportHash" => static (e, v) => TrySetFile(e, "file.macho.go_import_hash", v), + "threat.file.macho.go_imports" => static (e, v) => TrySetFile(e, "file.macho.go_imports", v), + "ThreatFileMachoGoImports" => static (e, v) => TrySetFile(e, "file.macho.go_imports", v), + "threat.file.macho.go_imports_names_entropy" => static (e, v) => TrySetFile(e, "file.macho.go_imports_names_entropy", v), + "ThreatFileMachoGoImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.macho.go_imports_names_entropy", v), + "threat.file.macho.go_imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.macho.go_imports_names_var_entropy", v), + "ThreatFileMachoGoImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.macho.go_imports_names_var_entropy", v), + "threat.file.macho.go_stripped" => static (e, v) => TrySetFile(e, "file.macho.go_stripped", v), + "ThreatFileMachoGoStripped" => static (e, v) => TrySetFile(e, "file.macho.go_stripped", v), + "threat.file.macho.import_hash" => static (e, v) => TrySetFile(e, "file.macho.import_hash", v), + "ThreatFileMachoImportHash" => static (e, v) => TrySetFile(e, "file.macho.import_hash", v), + "threat.file.macho.imports_names_entropy" => static (e, v) => TrySetFile(e, "file.macho.imports_names_entropy", v), + "ThreatFileMachoImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.macho.imports_names_entropy", v), + "threat.file.macho.imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.macho.imports_names_var_entropy", v), + "ThreatFileMachoImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.macho.imports_names_var_entropy", v), + "threat.file.macho.symhash" => static (e, v) => TrySetFile(e, "file.macho.symhash", v), + "ThreatFileMachoSymhash" => static (e, v) => TrySetFile(e, "file.macho.symhash", v), + "threat.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "ThreatGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "threat.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "ThreatGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "threat.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "ThreatGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "threat.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "ThreatGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "threat.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "ThreatGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "threat.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), + "ThreatGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), + "threat.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "ThreatGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "threat.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "ThreatGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "threat.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "ThreatGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "threat.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "ThreatGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "threat.registry.data.bytes" => static (e, v) => TrySetRegistry(e, "registry.data.bytes", v), + "ThreatRegistryDataBytes" => static (e, v) => TrySetRegistry(e, "registry.data.bytes", v), + "threat.registry.data.type" => static (e, v) => TrySetRegistry(e, "registry.data.type", v), + "ThreatRegistryDataType" => static (e, v) => TrySetRegistry(e, "registry.data.type", v), + "threat.registry.hive" => static (e, v) => TrySetRegistry(e, "registry.hive", v), + "ThreatRegistryHive" => static (e, v) => TrySetRegistry(e, "registry.hive", v), + "threat.registry.key" => static (e, v) => TrySetRegistry(e, "registry.key", v), + "ThreatRegistryKey" => static (e, v) => TrySetRegistry(e, "registry.key", v), + "threat.registry.path" => static (e, v) => TrySetRegistry(e, "registry.path", v), + "ThreatRegistryPath" => static (e, v) => TrySetRegistry(e, "registry.path", v), + "threat.registry.value" => static (e, v) => TrySetRegistry(e, "registry.value", v), + "ThreatRegistryValue" => static (e, v) => TrySetRegistry(e, "registry.value", v), + "threat.url.domain" => static (e, v) => TrySetUrl(e, "url.domain", v), + "ThreatUrlDomain" => static (e, v) => TrySetUrl(e, "url.domain", v), + "threat.url.extension" => static (e, v) => TrySetUrl(e, "url.extension", v), + "ThreatUrlExtension" => static (e, v) => TrySetUrl(e, "url.extension", v), + "threat.url.fragment" => static (e, v) => TrySetUrl(e, "url.fragment", v), + "ThreatUrlFragment" => static (e, v) => TrySetUrl(e, "url.fragment", v), + "threat.url.full" => static (e, v) => TrySetUrl(e, "url.full", v), + "ThreatUrlFull" => static (e, v) => TrySetUrl(e, "url.full", v), + "threat.url.original" => static (e, v) => TrySetUrl(e, "url.original", v), + "ThreatUrlOriginal" => static (e, v) => TrySetUrl(e, "url.original", v), + "threat.url.password" => static (e, v) => TrySetUrl(e, "url.password", v), + "ThreatUrlPassword" => static (e, v) => TrySetUrl(e, "url.password", v), + "threat.url.path" => static (e, v) => TrySetUrl(e, "url.path", v), + "ThreatUrlPath" => static (e, v) => TrySetUrl(e, "url.path", v), + "threat.url.port" => static (e, v) => TrySetUrl(e, "url.port", v), + "ThreatUrlPort" => static (e, v) => TrySetUrl(e, "url.port", v), + "threat.url.query" => static (e, v) => TrySetUrl(e, "url.query", v), + "ThreatUrlQuery" => static (e, v) => TrySetUrl(e, "url.query", v), + "threat.url.registered_domain" => static (e, v) => TrySetUrl(e, "url.registered_domain", v), + "ThreatUrlRegisteredDomain" => static (e, v) => TrySetUrl(e, "url.registered_domain", v), + "threat.url.scheme" => static (e, v) => TrySetUrl(e, "url.scheme", v), + "ThreatUrlScheme" => static (e, v) => TrySetUrl(e, "url.scheme", v), + "threat.url.subdomain" => static (e, v) => TrySetUrl(e, "url.subdomain", v), + "ThreatUrlSubdomain" => static (e, v) => TrySetUrl(e, "url.subdomain", v), + "threat.url.top_level_domain" => static (e, v) => TrySetUrl(e, "url.top_level_domain", v), + "ThreatUrlTopLevelDomain" => static (e, v) => TrySetUrl(e, "url.top_level_domain", v), + "threat.url.username" => static (e, v) => TrySetUrl(e, "url.username", v), + "ThreatUrlUsername" => static (e, v) => TrySetUrl(e, "url.username", v), _ => null }; if (assign == null) return false; @@ -3153,6 +5579,28 @@ public static bool TrySetTls(EcsDocument document, string path, object value) "TlsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "tls.version_protocol" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionProtocol = p), "TlsVersionProtocol" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionProtocol = p), + "tls.x509.issuer.distinguished_name" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), + "TlsX509IssuerDistinguishedName" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), + "tls.x509.not_after" => static (e, v) => TrySetX509(e, "x509.not_after", v), + "TlsX509NotAfter" => static (e, v) => TrySetX509(e, "x509.not_after", v), + "tls.x509.not_before" => static (e, v) => TrySetX509(e, "x509.not_before", v), + "TlsX509NotBefore" => static (e, v) => TrySetX509(e, "x509.not_before", v), + "tls.x509.public_key_algorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), + "TlsX509PublicKeyAlgorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), + "tls.x509.public_key_curve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), + "TlsX509PublicKeyCurve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), + "tls.x509.public_key_exponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), + "TlsX509PublicKeyExponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), + "tls.x509.public_key_size" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), + "TlsX509PublicKeySize" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), + "tls.x509.serial_number" => static (e, v) => TrySetX509(e, "x509.serial_number", v), + "TlsX509SerialNumber" => static (e, v) => TrySetX509(e, "x509.serial_number", v), + "tls.x509.signature_algorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), + "TlsX509SignatureAlgorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), + "tls.x509.subject.distinguished_name" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), + "TlsX509SubjectDistinguishedName" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), + "tls.x509.version_number" => static (e, v) => TrySetX509(e, "x509.version_number", v), + "TlsX509VersionNumber" => static (e, v) => TrySetX509(e, "x509.version_number", v), _ => null }; if (assign == null) return false; @@ -3205,32 +5653,6 @@ public static bool TrySetUrl(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetUser(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.User ?? new User(); - var assigned = assign(entity, value); - if (assigned) document.User = entity; - return assigned; - } - public static bool TrySetUserAgent(EcsDocument document, string path, object value) { Func assign = path switch @@ -3243,6 +5665,20 @@ public static bool TrySetUserAgent(EcsDocument document, string path, object val "UserAgentOriginal" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Original = p), "user_agent.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "UserAgentVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "user_agent.os.family" => static (e, v) => TrySetOs(e, "os.family", v), + "UserAgentOsFamily" => static (e, v) => TrySetOs(e, "os.family", v), + "user_agent.os.full" => static (e, v) => TrySetOs(e, "os.full", v), + "UserAgentOsFull" => static (e, v) => TrySetOs(e, "os.full", v), + "user_agent.os.kernel" => static (e, v) => TrySetOs(e, "os.kernel", v), + "UserAgentOsKernel" => static (e, v) => TrySetOs(e, "os.kernel", v), + "user_agent.os.name" => static (e, v) => TrySetOs(e, "os.name", v), + "UserAgentOsName" => static (e, v) => TrySetOs(e, "os.name", v), + "user_agent.os.platform" => static (e, v) => TrySetOs(e, "os.platform", v), + "UserAgentOsPlatform" => static (e, v) => TrySetOs(e, "os.platform", v), + "user_agent.os.type" => static (e, v) => TrySetOs(e, "os.type", v), + "UserAgentOsType" => static (e, v) => TrySetOs(e, "os.type", v), + "user_agent.os.version" => static (e, v) => TrySetOs(e, "os.version", v), + "UserAgentOsVersion" => static (e, v) => TrySetOs(e, "os.version", v), _ => null }; if (assign == null) return false; @@ -3253,24 +5689,6 @@ public static bool TrySetUserAgent(EcsDocument document, string path, object val return assigned; } - public static bool TrySetVlan(EcsDocument document, string path, object value) - { - Func assign = path switch - { - "vlan.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "VlanId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "vlan.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "VlanName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Vlan ?? new Vlan(); - var assigned = assign(entity, value); - if (assigned) document.Vlan = entity; - return assigned; - } - public static bool TrySetVulnerability(EcsDocument document, string path, object value) { Func assign = path switch @@ -3309,39 +5727,1843 @@ public static bool TrySetVulnerability(EcsDocument document, string path, object return assigned; } - public static bool TrySetX509(EcsDocument document, string path, object value) + public static bool TrySetAs(IAs document, string path, object value) { - Func assign = path switch + Func assign = path switch { - "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), - "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + "as.number" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), + "AsNumber" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), + "as.organization.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), + "AsOrganizationName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), _ => null }; if (assign == null) return false; - var entity = document.X509 ?? new X509(); + var entity = document.As ?? new As(); var assigned = assign(entity, value); - if (assigned) document.X509 = entity; + if (assigned) document.As = entity; + return assigned; + } + + public static bool TrySetGeo(IGeo document, string path, object value) + { + Func assign = path switch + { + "geo.city_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), + "GeoCityName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), + "geo.continent_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), + "GeoContinentCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), + "geo.continent_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), + "GeoContinentName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), + "geo.country_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), + "GeoCountryIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), + "geo.country_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), + "GeoCountryName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), + "geo.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "GeoName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "geo.postal_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), + "GeoPostalCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), + "geo.region_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), + "GeoRegionIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), + "geo.region_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), + "GeoRegionName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), + "geo.timezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), + "GeoTimezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Geo ?? new Geo(); + var assigned = assign(entity, value); + if (assigned) document.Geo = entity; + return assigned; + } + + public static bool TrySetUser(IUser document, string path, object value) + { + Func assign = path switch + { + "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "user.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "UserGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "user.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), + "UserGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), + "user.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), + "UserGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), + "user.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "UserRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "user.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "UserRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "user.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "UserRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "user.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "UserRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "user.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "UserRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "user.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "UserRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "user.user.domain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), + "UserUserDomain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), + "user.user.email" => static (e, v) => TrySetUserTarget(e, "user.email", v), + "UserUserEmail" => static (e, v) => TrySetUserTarget(e, "user.email", v), + "user.user.full_name" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), + "UserUserFullName" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), + "user.user.hash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), + "UserUserHash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), + "user.user.id" => static (e, v) => TrySetUserTarget(e, "user.id", v), + "UserUserId" => static (e, v) => TrySetUserTarget(e, "user.id", v), + "user.user.name" => static (e, v) => TrySetUserTarget(e, "user.name", v), + "UserUserName" => static (e, v) => TrySetUserTarget(e, "user.name", v), + _ => null + }; + if (assign == null) return false; + + var entity = document.User ?? new User(); + var assigned = assign(entity, value); + if (assigned) document.User = entity; + return assigned; + } + + public static bool TrySetOrigin(IOrigin document, string path, object value) + { + Func assign = path switch + { + "cloud.account.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), + "CloudAccountId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), + "cloud.account.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountName = p), + "CloudAccountName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountName = p), + "cloud.availability_zone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AvailabilityZone = p), + "CloudAvailabilityZone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AvailabilityZone = p), + "cloud.instance.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceId = p), + "CloudInstanceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceId = p), + "cloud.instance.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceName = p), + "CloudInstanceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceName = p), + "cloud.machine.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), + "CloudMachineType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), + "cloud.project.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), + "CloudProjectId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), + "cloud.project.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), + "CloudProjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), + "cloud.provider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), + "CloudProvider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), + "cloud.region" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), + "CloudRegion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), + "cloud.service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), + "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Origin ?? new CloudOrigin(); + var assigned = assign(entity, value); + if (assigned) document.Origin = entity; + return assigned; + } + + public static bool TrySetTarget(ITarget document, string path, object value) + { + Func assign = path switch + { + "cloud.account.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), + "CloudAccountId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), + "cloud.account.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountName = p), + "CloudAccountName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountName = p), + "cloud.availability_zone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AvailabilityZone = p), + "CloudAvailabilityZone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AvailabilityZone = p), + "cloud.instance.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceId = p), + "CloudInstanceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceId = p), + "cloud.instance.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceName = p), + "CloudInstanceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceName = p), + "cloud.machine.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), + "CloudMachineType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), + "cloud.project.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), + "CloudProjectId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), + "cloud.project.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), + "CloudProjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), + "cloud.provider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), + "CloudProvider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), + "cloud.region" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), + "CloudRegion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), + "cloud.service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), + "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Target ?? new CloudTarget(); + var assigned = assign(entity, value); + if (assigned) document.Target = entity; + return assigned; + } + + public static bool TrySetHash(IHash document, string path, object value) + { + Func assign = path switch + { + "hash.md5" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Md5 = p), + "HashMd5" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Md5 = p), + "hash.sha1" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha1 = p), + "HashSha1" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha1 = p), + "hash.sha256" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha256 = p), + "HashSha256" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha256 = p), + "hash.sha384" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha384 = p), + "HashSha384" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha384 = p), + "hash.sha512" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha512 = p), + "HashSha512" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha512 = p), + "hash.ssdeep" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ssdeep = p), + "HashSsdeep" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ssdeep = p), + "hash.tlsh" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Tlsh = p), + "HashTlsh" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Tlsh = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Hash ?? new Hash(); + var assigned = assign(entity, value); + if (assigned) document.Hash = entity; + return assigned; + } + + public static bool TrySetPe(IPe document, string path, object value) + { + Func assign = path switch + { + "pe.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "PeArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "pe.company" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Company = p), + "PeCompany" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Company = p), + "pe.description" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Description = p), + "PeDescription" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Description = p), + "pe.file_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FileVersion = p), + "PeFileVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FileVersion = p), + "pe.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "PeGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "pe.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "PeGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "pe.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "PeGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "pe.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "PeGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "pe.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "PeGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "pe.imphash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Imphash = p), + "PeImphash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Imphash = p), + "pe.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "PeImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "pe.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "PeImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "pe.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "PeImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "pe.original_file_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginalFileName = p), + "PeOriginalFileName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginalFileName = p), + "pe.pehash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Pehash = p), + "PePehash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Pehash = p), + "pe.product" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Product = p), + "PeProduct" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Product = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Pe ?? new Pe(); + var assigned = assign(entity, value); + if (assigned) document.Pe = entity; + return assigned; + } + + public static bool TrySetCodeSignature(ICodeSignature document, string path, object value) + { + Func assign = path switch + { + "code_signature.digest_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DigestAlgorithm = p), + "CodeSignatureDigestAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DigestAlgorithm = p), + "code_signature.exists" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Exists = p), + "CodeSignatureExists" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Exists = p), + "code_signature.signing_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SigningId = p), + "CodeSignatureSigningId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SigningId = p), + "code_signature.status" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Status = p), + "CodeSignatureStatus" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Status = p), + "code_signature.subject_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectName = p), + "CodeSignatureSubjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectName = p), + "code_signature.team_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TeamId = p), + "CodeSignatureTeamId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TeamId = p), + "code_signature.timestamp" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Timestamp = p), + "CodeSignatureTimestamp" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Timestamp = p), + "code_signature.trusted" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Trusted = p), + "CodeSignatureTrusted" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Trusted = p), + "code_signature.valid" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Valid = p), + "CodeSignatureValid" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Valid = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.CodeSignature ?? new CodeSignature(); + var assigned = assign(entity, value); + if (assigned) document.CodeSignature = entity; + return assigned; + } + + public static bool TrySetX509(IX509 document, string path, object value) + { + Func assign = path switch + { + "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.X509 ?? new X509(); + var assigned = assign(entity, value); + if (assigned) document.X509 = entity; + return assigned; + } + + public static bool TrySetElf(IElf document, string path, object value) + { + Func assign = path switch + { + "elf.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "ElfArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "elf.byte_order" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ByteOrder = p), + "ElfByteOrder" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ByteOrder = p), + "elf.cpu_type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CpuType = p), + "ElfCpuType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CpuType = p), + "elf.creation_date" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.CreationDate = p), + "ElfCreationDate" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.CreationDate = p), + "elf.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "ElfGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "elf.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "ElfGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "elf.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "ElfGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "elf.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "ElfGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "elf.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "ElfGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "elf.header.abi_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderAbiVersion = p), + "ElfHeaderAbiVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderAbiVersion = p), + "elf.header.class" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderClass = p), + "ElfHeaderClass" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderClass = p), + "elf.header.data" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderData = p), + "ElfHeaderData" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderData = p), + "elf.header.entrypoint" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.HeaderEntrypoint = p), + "ElfHeaderEntrypoint" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.HeaderEntrypoint = p), + "elf.header.object_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderObjectVersion = p), + "ElfHeaderObjectVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderObjectVersion = p), + "elf.header.os_abi" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderOsAbi = p), + "ElfHeaderOsAbi" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderOsAbi = p), + "elf.header.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderType = p), + "ElfHeaderType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderType = p), + "elf.header.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderVersion = p), + "ElfHeaderVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderVersion = p), + "elf.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "ElfImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "elf.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "ElfImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "elf.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "ElfImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "elf.telfhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Telfhash = p), + "ElfTelfhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Telfhash = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Elf ?? new Elf(); + var assigned = assign(entity, value); + if (assigned) document.Elf = entity; + return assigned; + } + + public static bool TrySetMacho(IMacho document, string path, object value) + { + Func assign = path switch + { + "macho.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "MachoGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "macho.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "MachoGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "macho.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "MachoGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "macho.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "MachoGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "macho.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "MachoGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "macho.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "MachoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "macho.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "MachoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "macho.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "MachoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "macho.symhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Symhash = p), + "MachoSymhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Symhash = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Macho ?? new Macho(); + var assigned = assign(entity, value); + if (assigned) document.Macho = entity; + return assigned; + } + + public static bool TrySetOs(IOs document, string path, object value) + { + Func assign = path switch + { + "os.family" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Family = p), + "OsFamily" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Family = p), + "os.full" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), + "OsFull" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), + "os.kernel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Kernel = p), + "OsKernel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Kernel = p), + "os.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "OsName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "os.platform" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Platform = p), + "OsPlatform" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Platform = p), + "os.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "OsType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "os.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "OsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Os ?? new Os(); + var assigned = assign(entity, value); + if (assigned) document.Os = entity; + return assigned; + } + + public static bool TrySetRisk(IRisk document, string path, object value) + { + Func assign = path switch + { + "risk.calculated_level" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CalculatedLevel = p), + "RiskCalculatedLevel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CalculatedLevel = p), + "risk.calculated_score" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScore = p), + "RiskCalculatedScore" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScore = p), + "risk.calculated_score_norm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScoreNorm = p), + "RiskCalculatedScoreNorm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScoreNorm = p), + "risk.static_level" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.StaticLevel = p), + "RiskStaticLevel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.StaticLevel = p), + "risk.static_score" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScore = p), + "RiskStaticScore" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScore = p), + "risk.static_score_norm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScoreNorm = p), + "RiskStaticScoreNorm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScoreNorm = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Risk ?? new Risk(); + var assigned = assign(entity, value); + if (assigned) document.Risk = entity; + return assigned; + } + + public static bool TrySetVlan(IVlan document, string path, object value) + { + Func assign = path switch + { + "vlan.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "VlanId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "vlan.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "VlanName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Vlan ?? new Vlan(); + var assigned = assign(entity, value); + if (assigned) document.Vlan = entity; + return assigned; + } + + public static bool TrySetGroup(IGroup document, string path, object value) + { + Func assign = path switch + { + "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Group ?? new Group(); + var assigned = assign(entity, value); + if (assigned) document.Group = entity; + return assigned; + } + + public static bool TrySetRealGroup(IRealGroup document, string path, object value) + { + Func assign = path switch + { + "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.RealGroup ?? new Group(); + var assigned = assign(entity, value); + if (assigned) document.RealGroup = entity; + return assigned; + } + + public static bool TrySetSavedGroup(ISavedGroup document, string path, object value) + { + Func assign = path switch + { + "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.SavedGroup ?? new Group(); + var assigned = assign(entity, value); + if (assigned) document.SavedGroup = entity; + return assigned; + } + + public static bool TrySetSupplementalGroups(ISupplementalGroups document, string path, object value) + { + Func assign = path switch + { + "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.SupplementalGroups ?? new Group(); + var assigned = assign(entity, value); + if (assigned) document.SupplementalGroups = entity; + return assigned; + } + + public static bool TrySetAttestedGroups(IAttestedGroups document, string path, object value) + { + Func assign = path switch + { + "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.AttestedGroups ?? new Group(); + var assigned = assign(entity, value); + if (assigned) document.AttestedGroups = entity; + return assigned; + } + + public static bool TrySetEntryMetaSource(IEntryMetaSource document, string path, object value) + { + Func assign = path switch + { + "source.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "SourceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "source.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Bytes = p), + "SourceBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Bytes = p), + "source.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "SourceDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "source.ip" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ip = p), + "SourceIp" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ip = p), + "source.mac" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Mac = p), + "SourceMac" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Mac = p), + "source.nat.ip" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NatIp = p), + "SourceNatIp" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NatIp = p), + "source.nat.port" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NatPort = p), + "SourceNatPort" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NatPort = p), + "source.packets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Packets = p), + "SourcePackets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Packets = p), + "source.port" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Port = p), + "SourcePort" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Port = p), + "source.registered_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegisteredDomain = p), + "SourceRegisteredDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegisteredDomain = p), + "source.subdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), + "SourceSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), + "source.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "SourceTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "source.as.number" => static (e, v) => TrySetAs(e, "as.number", v), + "SourceAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), + "source.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "SourceAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), + "source.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "SourceGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), + "source.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "SourceGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), + "source.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "SourceGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), + "source.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "SourceGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), + "source.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "SourceGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), + "source.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), + "SourceGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), + "source.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "SourceGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), + "source.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "SourceGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), + "source.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "SourceGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), + "source.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "SourceGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), + "source.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), + "SourceUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), + "source.user.email" => static (e, v) => TrySetUser(e, "user.email", v), + "SourceUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), + "source.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), + "SourceUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), + "source.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), + "SourceUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), + "source.user.id" => static (e, v) => TrySetUser(e, "user.id", v), + "SourceUserId" => static (e, v) => TrySetUser(e, "user.id", v), + "source.user.name" => static (e, v) => TrySetUser(e, "user.name", v), + "SourceUserName" => static (e, v) => TrySetUser(e, "user.name", v), + "source.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "SourceUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), + "source.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), + "SourceUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), + "source.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), + "SourceUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), + "source.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "SourceUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), + "source.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "SourceUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), + "source.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "SourceUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), + "source.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "SourceUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), + "source.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "SourceUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), + "source.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "SourceUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), + "source.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "SourceUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), + "source.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), + "SourceUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), + "source.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "SourceUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), + "source.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "SourceUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), + "source.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), + "SourceUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), + "source.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), + "SourceUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), + _ => null + }; + if (assign == null) return false; + + var entity = document.EntryMetaSource ?? new Source(); + var assigned = assign(entity, value); + if (assigned) document.EntryMetaSource = entity; + return assigned; + } + + public static bool TrySetSavedUser(ISavedUser document, string path, object value) + { + Func assign = path switch + { + "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "user.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "UserGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "user.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), + "UserGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), + "user.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), + "UserGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), + "user.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "UserRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "user.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "UserRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "user.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "UserRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "user.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "UserRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "user.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "UserRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "user.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "UserRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "user.user.domain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), + "UserUserDomain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), + "user.user.email" => static (e, v) => TrySetUserTarget(e, "user.email", v), + "UserUserEmail" => static (e, v) => TrySetUserTarget(e, "user.email", v), + "user.user.full_name" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), + "UserUserFullName" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), + "user.user.hash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), + "UserUserHash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), + "user.user.id" => static (e, v) => TrySetUserTarget(e, "user.id", v), + "UserUserId" => static (e, v) => TrySetUserTarget(e, "user.id", v), + "user.user.name" => static (e, v) => TrySetUserTarget(e, "user.name", v), + "UserUserName" => static (e, v) => TrySetUserTarget(e, "user.name", v), + _ => null + }; + if (assign == null) return false; + + var entity = document.SavedUser ?? new User(); + var assigned = assign(entity, value); + if (assigned) document.SavedUser = entity; + return assigned; + } + + public static bool TrySetRealUser(IRealUser document, string path, object value) + { + Func assign = path switch + { + "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "user.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "UserGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "user.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), + "UserGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), + "user.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), + "UserGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), + "user.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "UserRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "user.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "UserRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "user.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "UserRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "user.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "UserRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "user.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "UserRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "user.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "UserRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "user.user.domain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), + "UserUserDomain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), + "user.user.email" => static (e, v) => TrySetUserTarget(e, "user.email", v), + "UserUserEmail" => static (e, v) => TrySetUserTarget(e, "user.email", v), + "user.user.full_name" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), + "UserUserFullName" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), + "user.user.hash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), + "UserUserHash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), + "user.user.id" => static (e, v) => TrySetUserTarget(e, "user.id", v), + "UserUserId" => static (e, v) => TrySetUserTarget(e, "user.id", v), + "user.user.name" => static (e, v) => TrySetUserTarget(e, "user.name", v), + "UserUserName" => static (e, v) => TrySetUserTarget(e, "user.name", v), + _ => null + }; + if (assign == null) return false; + + var entity = document.RealUser ?? new User(); + var assigned = assign(entity, value); + if (assigned) document.RealUser = entity; + return assigned; + } + + public static bool TrySetAttestedUser(IAttestedUser document, string path, object value) + { + Func assign = path switch + { + "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "user.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "UserGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), + "user.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), + "UserGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), + "user.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), + "UserGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), + "user.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "UserRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), + "user.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "UserRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), + "user.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "UserRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), + "user.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "UserRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), + "user.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "UserRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), + "user.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "UserRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "user.user.domain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), + "UserUserDomain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), + "user.user.email" => static (e, v) => TrySetUserTarget(e, "user.email", v), + "UserUserEmail" => static (e, v) => TrySetUserTarget(e, "user.email", v), + "user.user.full_name" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), + "UserUserFullName" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), + "user.user.hash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), + "UserUserHash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), + "user.user.id" => static (e, v) => TrySetUserTarget(e, "user.id", v), + "UserUserId" => static (e, v) => TrySetUserTarget(e, "user.id", v), + "user.user.name" => static (e, v) => TrySetUserTarget(e, "user.name", v), + "UserUserName" => static (e, v) => TrySetUserTarget(e, "user.name", v), + _ => null + }; + if (assign == null) return false; + + var entity = document.AttestedUser ?? new User(); + var assigned = assign(entity, value); + if (assigned) document.AttestedUser = entity; + return assigned; + } + + public static bool TrySetParent(IParent document, string path, object value) + { + Func assign = path switch + { + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "process.parent.process.args_count" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.args_count", v), + "ProcessParentProcessArgsCount" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.args_count", v), + "process.parent.process.command_line" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.command_line", v), + "ProcessParentProcessCommandLine" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.command_line", v), + "process.parent.process.end" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.end", v), + "ProcessParentProcessEnd" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.end", v), + "process.parent.process.entity_id" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.entity_id", v), + "ProcessParentProcessEntityId" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.entity_id", v), + "process.parent.process.executable" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.executable", v), + "ProcessParentProcessExecutable" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.executable", v), + "process.parent.process.exit_code" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.exit_code", v), + "ProcessParentProcessExitCode" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.exit_code", v), + "process.parent.process.interactive" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.interactive", v), + "ProcessParentProcessInteractive" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.interactive", v), + "process.parent.process.name" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.name", v), + "ProcessParentProcessName" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.name", v), + "process.parent.process.pgid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.pgid", v), + "ProcessParentProcessPgid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.pgid", v), + "process.parent.process.pid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.pid", v), + "ProcessParentProcessPid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.pid", v), + "process.parent.process.start" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.start", v), + "ProcessParentProcessStart" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.start", v), + "process.parent.process.thread.id" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.thread.id", v), + "ProcessParentProcessThreadId" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.thread.id", v), + "process.parent.process.thread.name" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.thread.name", v), + "ProcessParentProcessThreadName" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.thread.name", v), + "process.parent.process.title" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.title", v), + "ProcessParentProcessTitle" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.title", v), + "process.parent.process.uptime" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.uptime", v), + "ProcessParentProcessUptime" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.uptime", v), + "process.parent.process.vpid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.vpid", v), + "ProcessParentProcessVpid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.vpid", v), + "process.parent.process.working_directory" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.working_directory", v), + "ProcessParentProcessWorkingDirectory" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.working_directory", v), + _ => null + }; + if (assign == null) return false; + + var entity = document.Parent ?? new ProcessParent(); + var assigned = assign(entity, value); + if (assigned) document.Parent = entity; + return assigned; + } + + public static bool TrySetEntryLeader(IEntryLeader document, string path, object value) + { + Func assign = path switch + { + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "process.entry_leader.process.args_count" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.args_count", v), + "ProcessEntryLeaderProcessArgsCount" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.args_count", v), + "process.entry_leader.process.command_line" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.command_line", v), + "ProcessEntryLeaderProcessCommandLine" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.command_line", v), + "process.entry_leader.process.end" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.end", v), + "ProcessEntryLeaderProcessEnd" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.end", v), + "process.entry_leader.process.entity_id" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entity_id", v), + "ProcessEntryLeaderProcessEntityId" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entity_id", v), + "process.entry_leader.process.executable" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.executable", v), + "ProcessEntryLeaderProcessExecutable" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.executable", v), + "process.entry_leader.process.exit_code" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.exit_code", v), + "ProcessEntryLeaderProcessExitCode" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.exit_code", v), + "process.entry_leader.process.interactive" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.interactive", v), + "ProcessEntryLeaderProcessInteractive" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.interactive", v), + "process.entry_leader.process.name" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.name", v), + "ProcessEntryLeaderProcessName" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.name", v), + "process.entry_leader.process.pgid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.pgid", v), + "ProcessEntryLeaderProcessPgid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.pgid", v), + "process.entry_leader.process.pid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.pid", v), + "ProcessEntryLeaderProcessPid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.pid", v), + "process.entry_leader.process.start" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.start", v), + "ProcessEntryLeaderProcessStart" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.start", v), + "process.entry_leader.process.thread.id" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.thread.id", v), + "ProcessEntryLeaderProcessThreadId" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.thread.id", v), + "process.entry_leader.process.thread.name" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.thread.name", v), + "ProcessEntryLeaderProcessThreadName" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.thread.name", v), + "process.entry_leader.process.title" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.title", v), + "ProcessEntryLeaderProcessTitle" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.title", v), + "process.entry_leader.process.uptime" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.uptime", v), + "ProcessEntryLeaderProcessUptime" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.uptime", v), + "process.entry_leader.process.vpid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.vpid", v), + "ProcessEntryLeaderProcessVpid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.vpid", v), + "process.entry_leader.process.working_directory" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.working_directory", v), + "ProcessEntryLeaderProcessWorkingDirectory" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.working_directory", v), + "process.entry_leader.process.entry_leader.parent.process.args_count" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.args_count", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.args_count", v), + "process.entry_leader.process.entry_leader.parent.process.command_line" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.command_line", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.command_line", v), + "process.entry_leader.process.entry_leader.parent.process.end" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.end", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessEnd" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.end", v), + "process.entry_leader.process.entry_leader.parent.process.entity_id" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.entity_id", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessEntityId" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.entity_id", v), + "process.entry_leader.process.entry_leader.parent.process.executable" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.executable", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessExecutable" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.executable", v), + "process.entry_leader.process.entry_leader.parent.process.exit_code" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.exit_code", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessExitCode" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.exit_code", v), + "process.entry_leader.process.entry_leader.parent.process.interactive" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.interactive", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessInteractive" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.interactive", v), + "process.entry_leader.process.entry_leader.parent.process.name" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.name", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessName" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.name", v), + "process.entry_leader.process.entry_leader.parent.process.pgid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.pgid", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessPgid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.pgid", v), + "process.entry_leader.process.entry_leader.parent.process.pid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.pid", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessPid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.pid", v), + "process.entry_leader.process.entry_leader.parent.process.start" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.start", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessStart" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.start", v), + "process.entry_leader.process.entry_leader.parent.process.thread.id" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.thread.id", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessThreadId" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.thread.id", v), + "process.entry_leader.process.entry_leader.parent.process.thread.name" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.thread.name", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessThreadName" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.thread.name", v), + "process.entry_leader.process.entry_leader.parent.process.title" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.title", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessTitle" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.title", v), + "process.entry_leader.process.entry_leader.parent.process.uptime" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.uptime", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessUptime" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.uptime", v), + "process.entry_leader.process.entry_leader.parent.process.vpid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.vpid", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessVpid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.vpid", v), + "process.entry_leader.process.entry_leader.parent.process.working_directory" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.working_directory", v), + "ProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.working_directory", v), + _ => null + }; + if (assign == null) return false; + + var entity = document.EntryLeader ?? new ProcessEntryLeader(); + var assigned = assign(entity, value); + if (assigned) document.EntryLeader = entity; + return assigned; + } + + public static bool TrySetSessionLeader(ISessionLeader document, string path, object value) + { + Func assign = path switch + { + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "process.session_leader.process.args_count" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.args_count", v), + "ProcessSessionLeaderProcessArgsCount" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.args_count", v), + "process.session_leader.process.command_line" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.command_line", v), + "ProcessSessionLeaderProcessCommandLine" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.command_line", v), + "process.session_leader.process.end" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.end", v), + "ProcessSessionLeaderProcessEnd" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.end", v), + "process.session_leader.process.entity_id" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.entity_id", v), + "ProcessSessionLeaderProcessEntityId" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.entity_id", v), + "process.session_leader.process.executable" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.executable", v), + "ProcessSessionLeaderProcessExecutable" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.executable", v), + "process.session_leader.process.exit_code" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.exit_code", v), + "ProcessSessionLeaderProcessExitCode" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.exit_code", v), + "process.session_leader.process.interactive" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.interactive", v), + "ProcessSessionLeaderProcessInteractive" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.interactive", v), + "process.session_leader.process.name" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.name", v), + "ProcessSessionLeaderProcessName" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.name", v), + "process.session_leader.process.pgid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.pgid", v), + "ProcessSessionLeaderProcessPgid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.pgid", v), + "process.session_leader.process.pid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.pid", v), + "ProcessSessionLeaderProcessPid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.pid", v), + "process.session_leader.process.start" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.start", v), + "ProcessSessionLeaderProcessStart" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.start", v), + "process.session_leader.process.thread.id" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.thread.id", v), + "ProcessSessionLeaderProcessThreadId" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.thread.id", v), + "process.session_leader.process.thread.name" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.thread.name", v), + "ProcessSessionLeaderProcessThreadName" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.thread.name", v), + "process.session_leader.process.title" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.title", v), + "ProcessSessionLeaderProcessTitle" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.title", v), + "process.session_leader.process.uptime" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.uptime", v), + "ProcessSessionLeaderProcessUptime" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.uptime", v), + "process.session_leader.process.vpid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.vpid", v), + "ProcessSessionLeaderProcessVpid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.vpid", v), + "process.session_leader.process.working_directory" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.working_directory", v), + "ProcessSessionLeaderProcessWorkingDirectory" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.working_directory", v), + "process.session_leader.process.session_leader.parent.process.args_count" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.args_count", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.args_count", v), + "process.session_leader.process.session_leader.parent.process.command_line" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.command_line", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.command_line", v), + "process.session_leader.process.session_leader.parent.process.end" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.end", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessEnd" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.end", v), + "process.session_leader.process.session_leader.parent.process.entity_id" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.entity_id", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessEntityId" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.entity_id", v), + "process.session_leader.process.session_leader.parent.process.executable" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.executable", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessExecutable" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.executable", v), + "process.session_leader.process.session_leader.parent.process.exit_code" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.exit_code", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessExitCode" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.exit_code", v), + "process.session_leader.process.session_leader.parent.process.interactive" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.interactive", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessInteractive" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.interactive", v), + "process.session_leader.process.session_leader.parent.process.name" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.name", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessName" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.name", v), + "process.session_leader.process.session_leader.parent.process.pgid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.pgid", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessPgid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.pgid", v), + "process.session_leader.process.session_leader.parent.process.pid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.pid", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessPid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.pid", v), + "process.session_leader.process.session_leader.parent.process.start" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.start", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessStart" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.start", v), + "process.session_leader.process.session_leader.parent.process.thread.id" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.thread.id", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessThreadId" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.thread.id", v), + "process.session_leader.process.session_leader.parent.process.thread.name" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.thread.name", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessThreadName" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.thread.name", v), + "process.session_leader.process.session_leader.parent.process.title" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.title", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessTitle" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.title", v), + "process.session_leader.process.session_leader.parent.process.uptime" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.uptime", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessUptime" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.uptime", v), + "process.session_leader.process.session_leader.parent.process.vpid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.vpid", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessVpid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.vpid", v), + "process.session_leader.process.session_leader.parent.process.working_directory" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.working_directory", v), + "ProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.working_directory", v), + _ => null + }; + if (assign == null) return false; + + var entity = document.SessionLeader ?? new ProcessSessionLeader(); + var assigned = assign(entity, value); + if (assigned) document.SessionLeader = entity; + return assigned; + } + + public static bool TrySetGroupLeader(IGroupLeader document, string path, object value) + { + Func assign = path switch + { + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.GroupLeader ?? new ProcessGroupLeader(); + var assigned = assign(entity, value); + if (assigned) document.GroupLeader = entity; + return assigned; + } + + public static bool TrySetPrevious(IPrevious document, string path, object value) + { + Func assign = path switch + { + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Previous ?? new ProcessPrevious(); + var assigned = assign(entity, value); + if (assigned) document.Previous = entity; + return assigned; + } + + public static bool TrySetOrigin(IOrigin document, string path, object value) + { + Func assign = path switch + { + "service.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "ServiceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "service.environment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), + "ServiceEnvironment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), + "service.ephemeral_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), + "ServiceEphemeralId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), + "service.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "ServiceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "service.node.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), + "ServiceNodeName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), + "service.node.role" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), + "ServiceNodeRole" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), + "service.state" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), + "ServiceState" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), + "service.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Origin ?? new ServiceOrigin(); + var assigned = assign(entity, value); + if (assigned) document.Origin = entity; + return assigned; + } + + public static bool TrySetTarget(ITarget document, string path, object value) + { + Func assign = path switch + { + "service.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "ServiceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "service.environment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), + "ServiceEnvironment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), + "service.ephemeral_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), + "ServiceEphemeralId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), + "service.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "ServiceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "service.node.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), + "ServiceNodeName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), + "service.node.role" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), + "ServiceNodeRole" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), + "service.state" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), + "ServiceState" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), + "service.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Target ?? new ServiceTarget(); + var assigned = assign(entity, value); + if (assigned) document.Target = entity; + return assigned; + } + + public static bool TrySetIndicatorX509(IIndicatorX509 document, string path, object value) + { + Func assign = path switch + { + "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.IndicatorX509 ?? new X509(); + var assigned = assign(entity, value); + if (assigned) document.IndicatorX509 = entity; + return assigned; + } + + public static bool TrySetIndicatorAs(IIndicatorAs document, string path, object value) + { + Func assign = path switch + { + "as.number" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), + "AsNumber" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), + "as.organization.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), + "AsOrganizationName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.IndicatorAs ?? new As(); + var assigned = assign(entity, value); + if (assigned) document.IndicatorAs = entity; + return assigned; + } + + public static bool TrySetIndicatorFile(IIndicatorFile document, string path, object value) + { + Func assign = path switch + { + "file.accessed" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Accessed = p), + "FileAccessed" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Accessed = p), + "file.created" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Created = p), + "FileCreated" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Created = p), + "file.ctime" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Ctime = p), + "FileCtime" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Ctime = p), + "file.device" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Device = p), + "FileDevice" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Device = p), + "file.directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Directory = p), + "FileDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Directory = p), + "file.drive_letter" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DriveLetter = p), + "FileDriveLetter" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DriveLetter = p), + "file.extension" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Extension = p), + "FileExtension" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Extension = p), + "file.fork_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ForkName = p), + "FileForkName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ForkName = p), + "file.gid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Gid = p), + "FileGid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Gid = p), + "file.group" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Group = p), + "FileGroup" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Group = p), + "file.inode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Inode = p), + "FileInode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Inode = p), + "file.mime_type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MimeType = p), + "FileMimeType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MimeType = p), + "file.mode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Mode = p), + "FileMode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Mode = p), + "file.mtime" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Mtime = p), + "FileMtime" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Mtime = p), + "file.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "FileName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "file.owner" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Owner = p), + "FileOwner" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Owner = p), + "file.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), + "FilePath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), + "file.size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Size = p), + "FileSize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Size = p), + "file.target_path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TargetPath = p), + "FileTargetPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TargetPath = p), + "file.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "FileType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "file.uid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), + "FileUid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), + "file.hash.md5" => static (e, v) => TrySetHash(e, "hash.md5", v), + "FileHashMd5" => static (e, v) => TrySetHash(e, "hash.md5", v), + "file.hash.sha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), + "FileHashSha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), + "file.hash.sha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), + "FileHashSha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), + "file.hash.sha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), + "FileHashSha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), + "file.hash.sha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), + "FileHashSha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), + "file.hash.ssdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), + "FileHashSsdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), + "file.hash.tlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), + "FileHashTlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), + "file.pe.architecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), + "FilePeArchitecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), + "file.pe.company" => static (e, v) => TrySetPe(e, "pe.company", v), + "FilePeCompany" => static (e, v) => TrySetPe(e, "pe.company", v), + "file.pe.description" => static (e, v) => TrySetPe(e, "pe.description", v), + "FilePeDescription" => static (e, v) => TrySetPe(e, "pe.description", v), + "file.pe.file_version" => static (e, v) => TrySetPe(e, "pe.file_version", v), + "FilePeFileVersion" => static (e, v) => TrySetPe(e, "pe.file_version", v), + "file.pe.go_import_hash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), + "FilePeGoImportHash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), + "file.pe.go_imports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), + "FilePeGoImports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), + "file.pe.go_imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), + "FilePeGoImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), + "file.pe.go_imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), + "FilePeGoImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), + "file.pe.go_stripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), + "FilePeGoStripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), + "file.pe.imphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), + "FilePeImphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), + "file.pe.import_hash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), + "FilePeImportHash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), + "file.pe.imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), + "FilePeImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), + "file.pe.imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), + "FilePeImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), + "file.pe.original_file_name" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), + "FilePeOriginalFileName" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), + "file.pe.pehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), + "FilePePehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), + "file.pe.product" => static (e, v) => TrySetPe(e, "pe.product", v), + "FilePeProduct" => static (e, v) => TrySetPe(e, "pe.product", v), + "file.x509.issuer.distinguished_name" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), + "FileX509IssuerDistinguishedName" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), + "file.x509.not_after" => static (e, v) => TrySetX509(e, "x509.not_after", v), + "FileX509NotAfter" => static (e, v) => TrySetX509(e, "x509.not_after", v), + "file.x509.not_before" => static (e, v) => TrySetX509(e, "x509.not_before", v), + "FileX509NotBefore" => static (e, v) => TrySetX509(e, "x509.not_before", v), + "file.x509.public_key_algorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), + "FileX509PublicKeyAlgorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), + "file.x509.public_key_curve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), + "FileX509PublicKeyCurve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), + "file.x509.public_key_exponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), + "FileX509PublicKeyExponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), + "file.x509.public_key_size" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), + "FileX509PublicKeySize" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), + "file.x509.serial_number" => static (e, v) => TrySetX509(e, "x509.serial_number", v), + "FileX509SerialNumber" => static (e, v) => TrySetX509(e, "x509.serial_number", v), + "file.x509.signature_algorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), + "FileX509SignatureAlgorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), + "file.x509.subject.distinguished_name" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), + "FileX509SubjectDistinguishedName" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), + "file.x509.version_number" => static (e, v) => TrySetX509(e, "x509.version_number", v), + "FileX509VersionNumber" => static (e, v) => TrySetX509(e, "x509.version_number", v), + "file.code_signature.digest_algorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), + "FileCodeSignatureDigestAlgorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), + "file.code_signature.exists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), + "FileCodeSignatureExists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), + "file.code_signature.signing_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), + "FileCodeSignatureSigningId" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), + "file.code_signature.status" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), + "FileCodeSignatureStatus" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), + "file.code_signature.subject_name" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), + "FileCodeSignatureSubjectName" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), + "file.code_signature.team_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), + "FileCodeSignatureTeamId" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), + "file.code_signature.timestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), + "FileCodeSignatureTimestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), + "file.code_signature.trusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), + "FileCodeSignatureTrusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), + "file.code_signature.valid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), + "FileCodeSignatureValid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), + "file.elf.architecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), + "FileElfArchitecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), + "file.elf.byte_order" => static (e, v) => TrySetElf(e, "elf.byte_order", v), + "FileElfByteOrder" => static (e, v) => TrySetElf(e, "elf.byte_order", v), + "file.elf.cpu_type" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), + "FileElfCpuType" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), + "file.elf.creation_date" => static (e, v) => TrySetElf(e, "elf.creation_date", v), + "FileElfCreationDate" => static (e, v) => TrySetElf(e, "elf.creation_date", v), + "file.elf.go_import_hash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), + "FileElfGoImportHash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), + "file.elf.go_imports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), + "FileElfGoImports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), + "file.elf.go_imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), + "FileElfGoImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), + "file.elf.go_imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), + "FileElfGoImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), + "file.elf.go_stripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), + "FileElfGoStripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), + "file.elf.header.abi_version" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), + "FileElfHeaderAbiVersion" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), + "file.elf.header.class" => static (e, v) => TrySetElf(e, "elf.header.class", v), + "FileElfHeaderClass" => static (e, v) => TrySetElf(e, "elf.header.class", v), + "file.elf.header.data" => static (e, v) => TrySetElf(e, "elf.header.data", v), + "FileElfHeaderData" => static (e, v) => TrySetElf(e, "elf.header.data", v), + "file.elf.header.entrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), + "FileElfHeaderEntrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), + "file.elf.header.object_version" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), + "FileElfHeaderObjectVersion" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), + "file.elf.header.os_abi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), + "FileElfHeaderOsAbi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), + "file.elf.header.type" => static (e, v) => TrySetElf(e, "elf.header.type", v), + "FileElfHeaderType" => static (e, v) => TrySetElf(e, "elf.header.type", v), + "file.elf.header.version" => static (e, v) => TrySetElf(e, "elf.header.version", v), + "FileElfHeaderVersion" => static (e, v) => TrySetElf(e, "elf.header.version", v), + "file.elf.import_hash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), + "FileElfImportHash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), + "file.elf.imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), + "FileElfImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), + "file.elf.imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), + "FileElfImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), + "file.elf.telfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), + "FileElfTelfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), + "file.macho.go_import_hash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), + "FileMachoGoImportHash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), + "file.macho.go_imports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), + "FileMachoGoImports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), + "file.macho.go_imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), + "FileMachoGoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), + "file.macho.go_imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), + "FileMachoGoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), + "file.macho.go_stripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), + "FileMachoGoStripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), + "file.macho.import_hash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), + "FileMachoImportHash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), + "file.macho.imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), + "FileMachoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), + "file.macho.imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), + "FileMachoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), + "file.macho.symhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), + "FileMachoSymhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), + _ => null + }; + if (assign == null) return false; + + var entity = document.IndicatorFile ?? new File(); + var assigned = assign(entity, value); + if (assigned) document.IndicatorFile = entity; + return assigned; + } + + public static bool TrySetIndicatorGeo(IIndicatorGeo document, string path, object value) + { + Func assign = path switch + { + "geo.city_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), + "GeoCityName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), + "geo.continent_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), + "GeoContinentCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), + "geo.continent_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), + "GeoContinentName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), + "geo.country_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), + "GeoCountryIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), + "geo.country_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), + "GeoCountryName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), + "geo.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "GeoName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "geo.postal_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), + "GeoPostalCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), + "geo.region_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), + "GeoRegionIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), + "geo.region_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), + "GeoRegionName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), + "geo.timezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), + "GeoTimezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.IndicatorGeo ?? new Geo(); + var assigned = assign(entity, value); + if (assigned) document.IndicatorGeo = entity; + return assigned; + } + + public static bool TrySetIndicatorRegistry(IIndicatorRegistry document, string path, object value) + { + Func assign = path switch + { + "registry.data.bytes" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DataBytes = p), + "RegistryDataBytes" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DataBytes = p), + "registry.data.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DataType = p), + "RegistryDataType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DataType = p), + "registry.hive" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hive = p), + "RegistryHive" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hive = p), + "registry.key" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Key = p), + "RegistryKey" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Key = p), + "registry.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), + "RegistryPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), + "registry.value" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Value = p), + "RegistryValue" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Value = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.IndicatorRegistry ?? new Registry(); + var assigned = assign(entity, value); + if (assigned) document.IndicatorRegistry = entity; + return assigned; + } + + public static bool TrySetIndicatorUrl(IIndicatorUrl document, string path, object value) + { + Func assign = path switch + { + "url.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "UrlDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "url.extension" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Extension = p), + "UrlExtension" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Extension = p), + "url.fragment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Fragment = p), + "UrlFragment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Fragment = p), + "url.full" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), + "UrlFull" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), + "url.original" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Original = p), + "UrlOriginal" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Original = p), + "url.password" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Password = p), + "UrlPassword" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Password = p), + "url.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), + "UrlPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), + "url.port" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Port = p), + "UrlPort" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Port = p), + "url.query" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Query = p), + "UrlQuery" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Query = p), + "url.registered_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegisteredDomain = p), + "UrlRegisteredDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegisteredDomain = p), + "url.scheme" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Scheme = p), + "UrlScheme" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Scheme = p), + "url.subdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), + "UrlSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), + "url.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "UrlTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "url.username" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Username = p), + "UrlUsername" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Username = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.IndicatorUrl ?? new Url(); + var assigned = assign(entity, value); + if (assigned) document.IndicatorUrl = entity; + return assigned; + } + + public static bool TrySetClientX509(IClientX509 document, string path, object value) + { + Func assign = path switch + { + "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.ClientX509 ?? new X509(); + var assigned = assign(entity, value); + if (assigned) document.ClientX509 = entity; + return assigned; + } + + public static bool TrySetServerX509(IServerX509 document, string path, object value) + { + Func assign = path switch + { + "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.ServerX509 ?? new X509(); + var assigned = assign(entity, value); + if (assigned) document.ServerX509 = entity; + return assigned; + } + + public static bool TrySetTarget(ITarget document, string path, object value) + { + Func assign = path switch + { + "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Target ?? new UserTarget(); + var assigned = assign(entity, value); + if (assigned) document.Target = entity; + return assigned; + } + + public static bool TrySetEffective(IEffective document, string path, object value) + { + Func assign = path switch + { + "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Effective ?? new UserEffective(); + var assigned = assign(entity, value); + if (assigned) document.Effective = entity; + return assigned; + } + + public static bool TrySetChanges(IChanges document, string path, object value) + { + Func assign = path switch + { + "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + if (assign == null) return false; + + var entity = document.Changes ?? new UserChanges(); + var assigned = assign(entity, value); + if (assigned) document.Changes = entity; return assigned; } } diff --git a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs index cb24757f..b8365206 100644 --- a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs +++ b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs @@ -13,7 +13,7 @@ public GithubIssue402(ITestOutputHelper output) : base(output) { } [Fact] public void Reproduce() => TestLogger((logger, getLogEvents) => { - using (LogContext.PushProperty("client.user.id", "regis")) + using (LogContext.PushProperty("client.as.number", 1)) logger.Information("Logging something with log context"); var logEvents = getLogEvents(); @@ -26,7 +26,7 @@ public void Reproduce() => TestLogger((logger, getLogEvents) => info.Client.Should().NotBeNull(); - info.Client.User.Id.Should().Be("regis"); + info.Client.As.Number.Should().Be(1); //info.Labels.Should().NotBeNull().And.ContainKey("client.user.id"); //info.Labels["ShipmentId"].Should().Be("my-shipment-id"); diff --git a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs index 684b253c..10f37dbc 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs @@ -1,6 +1,7 @@ using System.Linq; using System.Text.RegularExpressions; using Elastic.CommonSchema.Generator.Schema.DTO; +using YamlDotNet.Core.Tokens; namespace Elastic.CommonSchema.Generator.Projection { @@ -80,6 +81,8 @@ public class ValueTypePropertyReference : PropertyReference { public ValueTypePropertyReference(string parentPath, string fullPath, Field field) : base(parentPath, fullPath) { + ParentPath = parentPath; + Field = field; ClrType = field.GetClrType(); ReadJsonType = ClrType.PascalCase(); CastFromObject = field.GetCastFromObject(); @@ -87,11 +90,26 @@ public ValueTypePropertyReference(string parentPath, string fullPath, Field fiel Example = NormalizeDescription(field.Example?.ToString() ?? string.Empty); } + internal ValueTypePropertyReference(string parentPath, string prefix, string fullPath, Field field, EntityClass entity) + : this(parentPath, $"{prefix}.{fullPath}", field) + { + OriginalFullPath = fullPath; + IsEntityDispatch = true; + CastFromObject = $"TrySet{entity.Name}"; + } + public bool IsEntityDispatch { get; } + public string OriginalFullPath { get; } + internal string ParentPath { get; } + internal Field Field { get; } + public string CastFromObject { get; } public string ReadJsonType { get; } public string ClrType { get; } public override string Description { get; } public override string Example { get; } + + public ValueTypePropertyReference CreateSettableTypePropertyReference(string prefix, EntityClass entity) => + new(ParentPath, prefix, FullPath, Field, entity); } public class InlineObjectPropertyReference : PropertyReference diff --git a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs index 8a0bdc8a..0c49d87b 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs @@ -1,3 +1,4 @@ +using System; using System.Collections.Generic; using System.Collections.ObjectModel; using System.Linq; @@ -30,6 +31,8 @@ public class CommonSchemaTypesProjection public IReadOnlyCollection IndexComponents { get; set; } public List AssignableInterfaces { get; set; } + + public List AssignablePropDispatches { get; set; } // ReSharper restore PropertyCanBeMadeInitOnly.Global } @@ -102,7 +105,7 @@ public CommonSchemaTypesProjection CreateProjection() var nestedEntityTypes = CreateEntityTypes(); - var entities = EntityClasses.Values.Where(e => e.Name != "EcsDocument" && e.BaseFieldSet.FieldSet.Root != true).ToList(); + var entities = EntityClasses.Values; var assignables = entities .Where(e => e.EntityReferences.Count > 0) .SelectMany(e => e.EntityReferences.Select(r => (EntityClass: e, EntityPropertyReference: r)).ToList()) @@ -135,7 +138,7 @@ public CommonSchemaTypesProjection CreateProjection() Version = Schema.Version, GitRef = Schema.GitRef, FieldSets = FieldSetsBaseClasses.Values.Where(e=>e.FieldSet.Root != true || e.FieldSet.Name == "base" ).ToList(), - EntityClasses = entities, + EntityClasses = EntityClasses.Values.Where(e => e.Name != "EcsDocument" && e.BaseFieldSet.FieldSet.Root != true).ToList(), EntitiesWithPropertiesAtRoot = new Dictionary { { EntityClasses.Values.First(e=>e.Name == "Log"), new []{"level"}}, @@ -145,11 +148,41 @@ public CommonSchemaTypesProjection CreateProjection() InlineObjects = InlineObjects.Values.ToList(), NestedEntityClasses = nestedEntityTypes.Values.ToList(), Warnings = Warnings.AsReadOnly(), - IndexTemplates = Schema.Templates.Select(kv=>new IndexTemplate(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), - IndexComponents = Schema.Components.Select(kv=>new IndexComponent(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), + IndexTemplates = Schema.Templates.Select(kv => new IndexTemplate(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), + IndexComponents = Schema.Components.Select(kv => new IndexComponent(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), AssignableInterfaces = assignables }; + var assignableToEcsDocument = Projection.EntityClasses.Select(e=> assignables.FirstOrDefault(a=>a.Property.Entity == e && a.Property.Name == e.Name)).Where(a => a != null).ToList(); + Projection.Base.AssignableInterfaces = assignableToEcsDocument; + + var eHashs = new HashSet(Projection.EntityClasses.Select(e => e.Name)); + var aHashs = new HashSet(Projection.AssignableInterfaces.Select(e => e.Name.Substring(1, e.Name.Length - 1))); + eHashs.ExceptWith(aHashs); + var hashes = new HashSet(eHashs.Concat(aHashs)); + var propDispatches = new List(); + foreach (var dispatch in hashes) + { + if (eHashs.Contains(dispatch)) + { + var entityClass = Projection.EntityClasses.First(e => e.Name == dispatch); + propDispatches.Add(new PropDispatch(dispatch, entityClass, Projection.Base.Name)); + } + else if (aHashs.Contains(dispatch)) + { + var entityClass = Projection.AssignableInterfaces.FirstOrDefault(e => e.Name == $"I{dispatch}"); + if (entityClass == null) + { + continue; + } + propDispatches.Add(new PropDispatch(entityClass.Property)); + } + } + Projection.AssignablePropDispatches = propDispatches; + + Console.WriteLine(string.Join(", ", eHashs)); + + return Projection; } diff --git a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs index a07ff08d..fb9d88c5 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs @@ -1,3 +1,4 @@ +using System; using System.Collections.Generic; using System.Linq; using Elastic.CommonSchema.Generator.Schema.DTO; @@ -11,14 +12,14 @@ public class FieldSetBaseClass(FieldSet fieldSet) public Dictionary Properties { get; } = new(); - public IEnumerable SettableProperties => - ValueProperties.Where(p => !string.IsNullOrEmpty(p.CastFromObject)); - public IEnumerable ValueProperties => Properties.Values.OfType(); public IEnumerable InlineObjectProperties => Properties.Values.OfType(); + + public IEnumerable SettableProperties => ValueProperties.Where(p => !string.IsNullOrEmpty(p.CastFromObject)); + } public class InlineObject(string name, Field field) @@ -51,11 +52,13 @@ public class EntityClass { public EntityClass(string name, FieldSetBaseClass baseFieldSet) { + OriginalName = name; Name = name.PascalCase(); if (Name == "Base") Name = "EcsDocument"; BaseFieldSet = baseFieldSet; } + internal string OriginalName { get; } public string Name { get; } public FieldSetBaseClass BaseFieldSet { get; } public bool Partial => Name is "EcsDocument" or "Log" or "Ecs"; @@ -63,6 +66,13 @@ public EntityClass(string name, FieldSetBaseClass baseFieldSet) public Dictionary EntityReferences { get; } = new(); public IEnumerable EntityProperties => EntityReferences.Values; + + public IEnumerable SettableProperties => + BaseFieldSet.ValueProperties.Where(p => !string.IsNullOrEmpty(p.CastFromObject)) + .Concat(EntityProperties.SelectMany(e=>e.Entity.SettableProperties.Select(s=>s.CreateSettableTypePropertyReference(OriginalName, e.Entity)))) + .DistinctBy(e=>e.Name); + + //provided later public List AssignableInterfaces { get; set; } = new(); @@ -91,4 +101,30 @@ public AssignableEntityInterface(string name, EntityPropertyReference property, public string Name { get; } } + public class PropDispatch + { + public string Name { get; } + public string FuncTarget { get; } + public string AssignTarget { get; } + public EntityClass Entity { get; } + public string Target { get; } + + public PropDispatch(string name, EntityClass entity, string target) + { + Name = name; + FuncTarget = entity.Name; + AssignTarget = entity.Name; + Entity = entity; + Target = target; + } + + public PropDispatch(EntityPropertyReference property) + { + Name = property.Name; + Entity = property.Entity; + Target = $"I{Name}"; + FuncTarget = property.Entity.Name; + AssignTarget = property.Name; + } + } } diff --git a/tools/Elastic.CommonSchema.Generator/Views/EcsDocument.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/EcsDocument.Generated.cshtml index 38ce99cf..4cf6c5bc 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/EcsDocument.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/EcsDocument.Generated.cshtml @@ -27,7 +27,7 @@ using Elastic.CommonSchema.Serialization; namespace Elastic.CommonSchema { /// - public partial class @Model.Base.Name : @Model.Base.BaseFieldSet.Name + public partial class @Model.Base.Name : @Model.Base.BaseFieldSet.Name @Model.Base.AssignableInterfacesAsString { /// diff --git a/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml index e7a46fdc..428159e1 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml @@ -41,7 +41,7 @@ namespace Elastic.CommonSchema } @foreach (var entity in Model.EntityClasses) { - @foreach (var prop in entity.BaseFieldSet.SettableProperties) + @foreach (var prop in entity.SettableProperties) { /// /// @prop.FullPath @@ -65,7 +65,7 @@ namespace Elastic.CommonSchema } @foreach (var entity in Model.EntityClasses) { - @foreach (var prop in entity.BaseFieldSet.SettableProperties) + @foreach (var prop in entity.SettableProperties) { "@prop.FullPath", @prop.LogTemplateAlternative, diff --git a/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml index 6feff970..105110e1 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml @@ -119,7 +119,7 @@ namespace Elastic.CommonSchema { continue; } - @foreach (var prop in entity.BaseFieldSet.SettableProperties) + @foreach (var prop in entity.SettableProperties) { case "@prop.FullPath": case "@prop.LogTemplateAlternative": @@ -147,26 +147,37 @@ namespace Elastic.CommonSchema }; return assign != null && assign(document, value); } -@foreach (var entity in Model.EntityClasses) +@foreach (var dispatch in Model.AssignablePropDispatches) { + var entity = dispatch.Entity; - public static bool TrySet@(entity.Name)(EcsDocument document, string path, object value) + public static bool TrySet@(dispatch.Name)(@dispatch.Target document, string path, object value) { - Func@(Raw("<"))@(entity.Name), object, bool@(Raw(">")) assign = path switch + Func@(Raw("<"))@(dispatch.FuncTarget), object, bool@(Raw(">")) assign = path switch { - @foreach (var prop in entity.BaseFieldSet.SettableProperties) + @foreach (var prop in entity.SettableProperties) { + if (!prop.IsEntityDispatch) + { + // "client.as.number" => static (e, v) => TrySetAs(e, "as.number", v), "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), + } + else + { + "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)(e, "@(prop.OriginalFullPath)", v), + "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)(e, "@(prop.OriginalFullPath)", v), + + } } _ => null }; if (assign == null) return false; - var entity = document.@(entity.Name) ?? new @(entity.Name)(); + var entity = document.@(dispatch.AssignTarget) ?? new @(entity.Name)(); var assigned = assign(entity, value); - if (assigned) document.@(entity.Name) = entity; + if (assigned) document.@(dispatch.AssignTarget) = entity; return assigned; } From c3c8a765dfe65ea86446b90f06551177ea272040 Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Wed, 25 Sep 2024 14:50:51 +0200 Subject: [PATCH 4/8] stage --- .../AssignableInterfaces.Generated.cs | 30 + .../LogTemplateProperties.Generated.cs | 2112 ++--- .../PropDispatch.Generated.cs | 7054 ++++++++--------- .../Projection/PropertyReference.cs | 33 +- .../Projection/TypeProjector.cs | 29 +- .../Projection/Types.cs | 30 +- .../Views/PropDispatch.Generated.cshtml | 16 +- 7 files changed, 4595 insertions(+), 4709 deletions(-) diff --git a/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs b/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs index 5bad139a..b66da896 100644 --- a/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs +++ b/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs @@ -268,4 +268,34 @@ public interface IUserChanges { ///changes public UserChanges? Changes { get; set; } } + + /// Interface for entities that can assign an IProcessParentGroupLeader: ProcessParent + public interface IProcessParentGroupLeader { + ///group_leader + public ProcessParentGroupLeader? GroupLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessEntryLeaderParent: ProcessEntryLeader + public interface IProcessEntryLeaderParent { + ///parent + public ProcessEntryLeaderParent? Parent { get; set; } + } + + /// Interface for entities that can assign an IProcessSessionLeaderParent: ProcessSessionLeader + public interface IProcessSessionLeaderParent { + ///parent + public ProcessSessionLeaderParent? Parent { get; set; } + } + + /// Interface for entities that can assign an IProcessEntryLeaderParentSessionLeader: ProcessEntryLeaderParent + public interface IProcessEntryLeaderParentSessionLeader { + ///session_leader + public ProcessEntryLeaderParentSessionLeader? SessionLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessSessionLeaderParentSessionLeader: ProcessSessionLeaderParent + public interface IProcessSessionLeaderParentSessionLeader { + ///session_leader + public ProcessSessionLeaderParentSessionLeader? SessionLeader { get; set; } + } } diff --git a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs index 17ed6bce..b23bfbef 100644 --- a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs +++ b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs @@ -369,43 +369,43 @@ public static class LogTemplateProperties /// public static string ClientUserRiskStaticScoreNorm = nameof(ClientUserRiskStaticScoreNorm); /// - /// client.user.user.domain + /// client.user.target.user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string ClientUserUserDomain = nameof(ClientUserUserDomain); + public static string ClientUserTargetUserDomain = nameof(ClientUserTargetUserDomain); /// - /// client.user.user.email + /// client.user.target.user.email /// User email address. /// /// - public static string ClientUserUserEmail = nameof(ClientUserUserEmail); + public static string ClientUserTargetUserEmail = nameof(ClientUserTargetUserEmail); /// - /// client.user.user.full_name + /// client.user.target.user.full_name /// User's full name, if available. /// Albert Einstein /// - public static string ClientUserUserFullName = nameof(ClientUserUserFullName); + public static string ClientUserTargetUserFullName = nameof(ClientUserTargetUserFullName); /// - /// client.user.user.hash + /// client.user.target.user.hash /// Unique user hash to correlate information for a user in anonymized form. /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string ClientUserUserHash = nameof(ClientUserUserHash); + public static string ClientUserTargetUserHash = nameof(ClientUserTargetUserHash); /// - /// client.user.user.id + /// client.user.target.user.id /// Unique identifier of the user. /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string ClientUserUserId = nameof(ClientUserUserId); + public static string ClientUserTargetUserId = nameof(ClientUserTargetUserId); /// - /// client.user.user.name + /// client.user.target.user.name /// Short name or login of the user. /// a.einstein /// - public static string ClientUserUserName = nameof(ClientUserUserName); + public static string ClientUserTargetUserName = nameof(ClientUserTargetUserName); /// /// cloud.account.id /// The cloud account or organization id used to identify different entities in a multi-tenant environment. @@ -478,76 +478,76 @@ public static class LogTemplateProperties /// public static string CloudServiceName = nameof(CloudServiceName); /// - /// cloud.cloud.account.id + /// origin.cloud.account.id /// The cloud account or organization id used to identify different entities in a multi-tenant environment. /// Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. /// 666777888999 /// - public static string CloudCloudAccountId = nameof(CloudCloudAccountId); + public static string OriginCloudAccountId = nameof(OriginCloudAccountId); /// - /// cloud.cloud.account.name + /// origin.cloud.account.name /// The cloud account name or alias used to identify different entities in a multi-tenant environment. /// Examples: AWS account name, Google Cloud ORG display name. /// elastic-dev /// - public static string CloudCloudAccountName = nameof(CloudCloudAccountName); + public static string OriginCloudAccountName = nameof(OriginCloudAccountName); /// - /// cloud.cloud.availability_zone + /// origin.cloud.availability_zone /// Availability zone in which this host, resource, or service is located. /// us-east-1c /// - public static string CloudCloudAvailabilityZone = nameof(CloudCloudAvailabilityZone); + public static string OriginCloudAvailabilityZone = nameof(OriginCloudAvailabilityZone); /// - /// cloud.cloud.instance.id + /// origin.cloud.instance.id /// Instance ID of the host machine. /// i-1234567890abcdef0 /// - public static string CloudCloudInstanceId = nameof(CloudCloudInstanceId); + public static string OriginCloudInstanceId = nameof(OriginCloudInstanceId); /// - /// cloud.cloud.instance.name + /// origin.cloud.instance.name /// Instance name of the host machine. /// /// - public static string CloudCloudInstanceName = nameof(CloudCloudInstanceName); + public static string OriginCloudInstanceName = nameof(OriginCloudInstanceName); /// - /// cloud.cloud.machine.type + /// origin.cloud.machine.type /// Machine type of the host machine. /// t2.medium /// - public static string CloudCloudMachineType = nameof(CloudCloudMachineType); + public static string OriginCloudMachineType = nameof(OriginCloudMachineType); /// - /// cloud.cloud.project.id + /// origin.cloud.project.id /// The cloud project identifier. /// Examples: Google Cloud Project id, Azure Project id. /// my-project /// - public static string CloudCloudProjectId = nameof(CloudCloudProjectId); + public static string OriginCloudProjectId = nameof(OriginCloudProjectId); /// - /// cloud.cloud.project.name + /// origin.cloud.project.name /// The cloud project name. /// Examples: Google Cloud Project name, Azure Project name. /// my project /// - public static string CloudCloudProjectName = nameof(CloudCloudProjectName); + public static string OriginCloudProjectName = nameof(OriginCloudProjectName); /// - /// cloud.cloud.provider + /// origin.cloud.provider /// Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. /// aws /// - public static string CloudCloudProvider = nameof(CloudCloudProvider); + public static string OriginCloudProvider = nameof(OriginCloudProvider); /// - /// cloud.cloud.region + /// origin.cloud.region /// Region in which this host, resource, or service is located. /// us-east-1 /// - public static string CloudCloudRegion = nameof(CloudCloudRegion); + public static string OriginCloudRegion = nameof(OriginCloudRegion); /// - /// cloud.cloud.service.name + /// origin.cloud.service.name /// The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. /// Examples: app engine, app service, cloud run, fargate, lambda. /// lambda /// - public static string CloudCloudServiceName = nameof(CloudCloudServiceName); + public static string OriginCloudServiceName = nameof(OriginCloudServiceName); /// /// code_signature.digest_algorithm /// The hashing algorithm used to sign the process. @@ -952,43 +952,43 @@ public static class LogTemplateProperties /// public static string DestinationUserRiskStaticScoreNorm = nameof(DestinationUserRiskStaticScoreNorm); /// - /// destination.user.user.domain + /// destination.user.target.user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string DestinationUserUserDomain = nameof(DestinationUserUserDomain); + public static string DestinationUserTargetUserDomain = nameof(DestinationUserTargetUserDomain); /// - /// destination.user.user.email + /// destination.user.target.user.email /// User email address. /// /// - public static string DestinationUserUserEmail = nameof(DestinationUserUserEmail); + public static string DestinationUserTargetUserEmail = nameof(DestinationUserTargetUserEmail); /// - /// destination.user.user.full_name + /// destination.user.target.user.full_name /// User's full name, if available. /// Albert Einstein /// - public static string DestinationUserUserFullName = nameof(DestinationUserUserFullName); + public static string DestinationUserTargetUserFullName = nameof(DestinationUserTargetUserFullName); /// - /// destination.user.user.hash + /// destination.user.target.user.hash /// Unique user hash to correlate information for a user in anonymized form. /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string DestinationUserUserHash = nameof(DestinationUserUserHash); + public static string DestinationUserTargetUserHash = nameof(DestinationUserTargetUserHash); /// - /// destination.user.user.id + /// destination.user.target.user.id /// Unique identifier of the user. /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string DestinationUserUserId = nameof(DestinationUserUserId); + public static string DestinationUserTargetUserId = nameof(DestinationUserTargetUserId); /// - /// destination.user.user.name + /// destination.user.target.user.name /// Short name or login of the user. /// a.einstein /// - public static string DestinationUserUserName = nameof(DestinationUserUserName); + public static string DestinationUserTargetUserName = nameof(DestinationUserTargetUserName); /// /// device.id /// The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. @@ -4041,293 +4041,293 @@ public static class LogTemplateProperties /// public static string ProcessMachoSymhash = nameof(ProcessMachoSymhash); /// - /// process.source.address + /// process.entry_meta.source.address /// Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. /// /// - public static string ProcessSourceAddress = nameof(ProcessSourceAddress); + public static string ProcessEntryMetaSourceAddress = nameof(ProcessEntryMetaSourceAddress); /// - /// process.source.bytes + /// process.entry_meta.source.bytes /// Bytes sent from the source to the destination. /// 184 /// - public static string ProcessSourceBytes = nameof(ProcessSourceBytes); + public static string ProcessEntryMetaSourceBytes = nameof(ProcessEntryMetaSourceBytes); /// - /// process.source.domain + /// process.entry_meta.source.domain /// The domain name of the source system. /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. /// foo.example.com /// - public static string ProcessSourceDomain = nameof(ProcessSourceDomain); + public static string ProcessEntryMetaSourceDomain = nameof(ProcessEntryMetaSourceDomain); /// - /// process.source.ip + /// process.entry_meta.source.ip /// IP address of the source (IPv4 or IPv6). /// /// - public static string ProcessSourceIp = nameof(ProcessSourceIp); + public static string ProcessEntryMetaSourceIp = nameof(ProcessEntryMetaSourceIp); /// - /// process.source.mac + /// process.entry_meta.source.mac /// MAC address of the source. /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. /// pattern: /// 00-00-5E-00-53-23 /// - public static string ProcessSourceMac = nameof(ProcessSourceMac); + public static string ProcessEntryMetaSourceMac = nameof(ProcessEntryMetaSourceMac); /// - /// process.source.nat.ip + /// process.entry_meta.source.nat.ip /// Translated ip of source based NAT sessions (e.g. internal client to internet) /// Typically connections traversing load balancers, firewalls, or routers. /// /// - public static string ProcessSourceNatIp = nameof(ProcessSourceNatIp); + public static string ProcessEntryMetaSourceNatIp = nameof(ProcessEntryMetaSourceNatIp); /// - /// process.source.nat.port + /// process.entry_meta.source.nat.port /// Translated port of source based NAT sessions. (e.g. internal client to internet) /// Typically used with load balancers, firewalls, or routers. /// /// - public static string ProcessSourceNatPort = nameof(ProcessSourceNatPort); + public static string ProcessEntryMetaSourceNatPort = nameof(ProcessEntryMetaSourceNatPort); /// - /// process.source.packets + /// process.entry_meta.source.packets /// Packets sent from the source to the destination. /// 12 /// - public static string ProcessSourcePackets = nameof(ProcessSourcePackets); + public static string ProcessEntryMetaSourcePackets = nameof(ProcessEntryMetaSourcePackets); /// - /// process.source.port + /// process.entry_meta.source.port /// Port of the source. /// /// - public static string ProcessSourcePort = nameof(ProcessSourcePort); + public static string ProcessEntryMetaSourcePort = nameof(ProcessEntryMetaSourcePort); /// - /// process.source.registered_domain + /// process.entry_meta.source.registered_domain /// The highest registered source domain, stripped of the subdomain. /// For example, the registered domain for "foo.example.com" is "example.com". /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". /// example.com /// - public static string ProcessSourceRegisteredDomain = nameof(ProcessSourceRegisteredDomain); + public static string ProcessEntryMetaSourceRegisteredDomain = nameof(ProcessEntryMetaSourceRegisteredDomain); /// - /// process.source.subdomain + /// process.entry_meta.source.subdomain /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. /// east /// - public static string ProcessSourceSubdomain = nameof(ProcessSourceSubdomain); + public static string ProcessEntryMetaSourceSubdomain = nameof(ProcessEntryMetaSourceSubdomain); /// - /// process.source.top_level_domain + /// process.entry_meta.source.top_level_domain /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". /// co.uk /// - public static string ProcessSourceTopLevelDomain = nameof(ProcessSourceTopLevelDomain); + public static string ProcessEntryMetaSourceTopLevelDomain = nameof(ProcessEntryMetaSourceTopLevelDomain); /// - /// process.source.as.number + /// process.entry_meta.source.as.number /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. /// 15169 /// - public static string ProcessSourceAsNumber = nameof(ProcessSourceAsNumber); + public static string ProcessEntryMetaSourceAsNumber = nameof(ProcessEntryMetaSourceAsNumber); /// - /// process.source.as.organization.name + /// process.entry_meta.source.as.organization.name /// Organization name. /// Google LLC /// - public static string ProcessSourceAsOrganizationName = nameof(ProcessSourceAsOrganizationName); + public static string ProcessEntryMetaSourceAsOrganizationName = nameof(ProcessEntryMetaSourceAsOrganizationName); /// - /// process.source.geo.city_name + /// process.entry_meta.source.geo.city_name /// City name. /// Montreal /// - public static string ProcessSourceGeoCityName = nameof(ProcessSourceGeoCityName); + public static string ProcessEntryMetaSourceGeoCityName = nameof(ProcessEntryMetaSourceGeoCityName); /// - /// process.source.geo.continent_code + /// process.entry_meta.source.geo.continent_code /// Two-letter code representing continent's name. /// NA /// - public static string ProcessSourceGeoContinentCode = nameof(ProcessSourceGeoContinentCode); + public static string ProcessEntryMetaSourceGeoContinentCode = nameof(ProcessEntryMetaSourceGeoContinentCode); /// - /// process.source.geo.continent_name + /// process.entry_meta.source.geo.continent_name /// Name of the continent. /// North America /// - public static string ProcessSourceGeoContinentName = nameof(ProcessSourceGeoContinentName); + public static string ProcessEntryMetaSourceGeoContinentName = nameof(ProcessEntryMetaSourceGeoContinentName); /// - /// process.source.geo.country_iso_code + /// process.entry_meta.source.geo.country_iso_code /// Country ISO code. /// CA /// - public static string ProcessSourceGeoCountryIsoCode = nameof(ProcessSourceGeoCountryIsoCode); + public static string ProcessEntryMetaSourceGeoCountryIsoCode = nameof(ProcessEntryMetaSourceGeoCountryIsoCode); /// - /// process.source.geo.country_name + /// process.entry_meta.source.geo.country_name /// Country name. /// Canada /// - public static string ProcessSourceGeoCountryName = nameof(ProcessSourceGeoCountryName); + public static string ProcessEntryMetaSourceGeoCountryName = nameof(ProcessEntryMetaSourceGeoCountryName); /// - /// process.source.geo.name + /// process.entry_meta.source.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. /// Not typically used in automated geolocation. /// boston-dc /// - public static string ProcessSourceGeoName = nameof(ProcessSourceGeoName); + public static string ProcessEntryMetaSourceGeoName = nameof(ProcessEntryMetaSourceGeoName); /// - /// process.source.geo.postal_code + /// process.entry_meta.source.geo.postal_code /// Postal code associated with the location. /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. /// 94040 /// - public static string ProcessSourceGeoPostalCode = nameof(ProcessSourceGeoPostalCode); + public static string ProcessEntryMetaSourceGeoPostalCode = nameof(ProcessEntryMetaSourceGeoPostalCode); /// - /// process.source.geo.region_iso_code + /// process.entry_meta.source.geo.region_iso_code /// Region ISO code. /// CA-QC /// - public static string ProcessSourceGeoRegionIsoCode = nameof(ProcessSourceGeoRegionIsoCode); + public static string ProcessEntryMetaSourceGeoRegionIsoCode = nameof(ProcessEntryMetaSourceGeoRegionIsoCode); /// - /// process.source.geo.region_name + /// process.entry_meta.source.geo.region_name /// Region name. /// Quebec /// - public static string ProcessSourceGeoRegionName = nameof(ProcessSourceGeoRegionName); + public static string ProcessEntryMetaSourceGeoRegionName = nameof(ProcessEntryMetaSourceGeoRegionName); /// - /// process.source.geo.timezone + /// process.entry_meta.source.geo.timezone /// The time zone of the location, such as IANA time zone name. /// America/Argentina/Buenos_Aires /// - public static string ProcessSourceGeoTimezone = nameof(ProcessSourceGeoTimezone); + public static string ProcessEntryMetaSourceGeoTimezone = nameof(ProcessEntryMetaSourceGeoTimezone); /// - /// process.source.user.domain + /// process.entry_meta.source.user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string ProcessSourceUserDomain = nameof(ProcessSourceUserDomain); + public static string ProcessEntryMetaSourceUserDomain = nameof(ProcessEntryMetaSourceUserDomain); /// - /// process.source.user.email + /// process.entry_meta.source.user.email /// User email address. /// /// - public static string ProcessSourceUserEmail = nameof(ProcessSourceUserEmail); + public static string ProcessEntryMetaSourceUserEmail = nameof(ProcessEntryMetaSourceUserEmail); /// - /// process.source.user.full_name + /// process.entry_meta.source.user.full_name /// User's full name, if available. /// Albert Einstein /// - public static string ProcessSourceUserFullName = nameof(ProcessSourceUserFullName); + public static string ProcessEntryMetaSourceUserFullName = nameof(ProcessEntryMetaSourceUserFullName); /// - /// process.source.user.hash + /// process.entry_meta.source.user.hash /// Unique user hash to correlate information for a user in anonymized form. /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string ProcessSourceUserHash = nameof(ProcessSourceUserHash); + public static string ProcessEntryMetaSourceUserHash = nameof(ProcessEntryMetaSourceUserHash); /// - /// process.source.user.id + /// process.entry_meta.source.user.id /// Unique identifier of the user. /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string ProcessSourceUserId = nameof(ProcessSourceUserId); + public static string ProcessEntryMetaSourceUserId = nameof(ProcessEntryMetaSourceUserId); /// - /// process.source.user.name + /// process.entry_meta.source.user.name /// Short name or login of the user. /// a.einstein /// - public static string ProcessSourceUserName = nameof(ProcessSourceUserName); + public static string ProcessEntryMetaSourceUserName = nameof(ProcessEntryMetaSourceUserName); /// - /// process.source.user.group.domain + /// process.entry_meta.source.user.group.domain /// Name of the directory the group is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string ProcessSourceUserGroupDomain = nameof(ProcessSourceUserGroupDomain); + public static string ProcessEntryMetaSourceUserGroupDomain = nameof(ProcessEntryMetaSourceUserGroupDomain); /// - /// process.source.user.group.id + /// process.entry_meta.source.user.group.id /// Unique identifier for the group on the system/platform. /// /// - public static string ProcessSourceUserGroupId = nameof(ProcessSourceUserGroupId); + public static string ProcessEntryMetaSourceUserGroupId = nameof(ProcessEntryMetaSourceUserGroupId); /// - /// process.source.user.group.name + /// process.entry_meta.source.user.group.name /// Name of the group. /// /// - public static string ProcessSourceUserGroupName = nameof(ProcessSourceUserGroupName); + public static string ProcessEntryMetaSourceUserGroupName = nameof(ProcessEntryMetaSourceUserGroupName); /// - /// process.source.user.risk.calculated_level + /// process.entry_meta.source.user.risk.calculated_level /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. /// High /// - public static string ProcessSourceUserRiskCalculatedLevel = nameof(ProcessSourceUserRiskCalculatedLevel); + public static string ProcessEntryMetaSourceUserRiskCalculatedLevel = nameof(ProcessEntryMetaSourceUserRiskCalculatedLevel); /// - /// process.source.user.risk.calculated_score + /// process.entry_meta.source.user.risk.calculated_score /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. /// 880.73 /// - public static string ProcessSourceUserRiskCalculatedScore = nameof(ProcessSourceUserRiskCalculatedScore); + public static string ProcessEntryMetaSourceUserRiskCalculatedScore = nameof(ProcessEntryMetaSourceUserRiskCalculatedScore); /// - /// process.source.user.risk.calculated_score_norm + /// process.entry_meta.source.user.risk.calculated_score_norm /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. /// 88.73 /// - public static string ProcessSourceUserRiskCalculatedScoreNorm = nameof(ProcessSourceUserRiskCalculatedScoreNorm); + public static string ProcessEntryMetaSourceUserRiskCalculatedScoreNorm = nameof(ProcessEntryMetaSourceUserRiskCalculatedScoreNorm); /// - /// process.source.user.risk.static_level + /// process.entry_meta.source.user.risk.static_level /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. /// High /// - public static string ProcessSourceUserRiskStaticLevel = nameof(ProcessSourceUserRiskStaticLevel); + public static string ProcessEntryMetaSourceUserRiskStaticLevel = nameof(ProcessEntryMetaSourceUserRiskStaticLevel); /// - /// process.source.user.risk.static_score + /// process.entry_meta.source.user.risk.static_score /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. /// 830.0 /// - public static string ProcessSourceUserRiskStaticScore = nameof(ProcessSourceUserRiskStaticScore); + public static string ProcessEntryMetaSourceUserRiskStaticScore = nameof(ProcessEntryMetaSourceUserRiskStaticScore); /// - /// process.source.user.risk.static_score_norm + /// process.entry_meta.source.user.risk.static_score_norm /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. /// 83.0 /// - public static string ProcessSourceUserRiskStaticScoreNorm = nameof(ProcessSourceUserRiskStaticScoreNorm); + public static string ProcessEntryMetaSourceUserRiskStaticScoreNorm = nameof(ProcessEntryMetaSourceUserRiskStaticScoreNorm); /// - /// process.source.user.user.domain + /// process.entry_meta.source.user.target.user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string ProcessSourceUserUserDomain = nameof(ProcessSourceUserUserDomain); + public static string ProcessEntryMetaSourceUserTargetUserDomain = nameof(ProcessEntryMetaSourceUserTargetUserDomain); /// - /// process.source.user.user.email + /// process.entry_meta.source.user.target.user.email /// User email address. /// /// - public static string ProcessSourceUserUserEmail = nameof(ProcessSourceUserUserEmail); + public static string ProcessEntryMetaSourceUserTargetUserEmail = nameof(ProcessEntryMetaSourceUserTargetUserEmail); /// - /// process.source.user.user.full_name + /// process.entry_meta.source.user.target.user.full_name /// User's full name, if available. /// Albert Einstein /// - public static string ProcessSourceUserUserFullName = nameof(ProcessSourceUserUserFullName); + public static string ProcessEntryMetaSourceUserTargetUserFullName = nameof(ProcessEntryMetaSourceUserTargetUserFullName); /// - /// process.source.user.user.hash + /// process.entry_meta.source.user.target.user.hash /// Unique user hash to correlate information for a user in anonymized form. /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string ProcessSourceUserUserHash = nameof(ProcessSourceUserUserHash); + public static string ProcessEntryMetaSourceUserTargetUserHash = nameof(ProcessEntryMetaSourceUserTargetUserHash); /// - /// process.source.user.user.id + /// process.entry_meta.source.user.target.user.id /// Unique identifier of the user. /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string ProcessSourceUserUserId = nameof(ProcessSourceUserUserId); + public static string ProcessEntryMetaSourceUserTargetUserId = nameof(ProcessEntryMetaSourceUserTargetUserId); /// - /// process.source.user.user.name + /// process.entry_meta.source.user.target.user.name /// Short name or login of the user. /// a.einstein /// - public static string ProcessSourceUserUserName = nameof(ProcessSourceUserUserName); + public static string ProcessEntryMetaSourceUserTargetUserName = nameof(ProcessEntryMetaSourceUserTargetUserName); /// /// process.user.domain /// Name of the directory the user is a member of. @@ -4422,721 +4422,721 @@ public static class LogTemplateProperties /// public static string ProcessUserRiskStaticScoreNorm = nameof(ProcessUserRiskStaticScoreNorm); /// - /// process.user.user.domain + /// process.user.target.user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string ProcessUserUserDomain = nameof(ProcessUserUserDomain); + public static string ProcessUserTargetUserDomain = nameof(ProcessUserTargetUserDomain); /// - /// process.user.user.email + /// process.user.target.user.email /// User email address. /// /// - public static string ProcessUserUserEmail = nameof(ProcessUserUserEmail); + public static string ProcessUserTargetUserEmail = nameof(ProcessUserTargetUserEmail); /// - /// process.user.user.full_name + /// process.user.target.user.full_name /// User's full name, if available. /// Albert Einstein /// - public static string ProcessUserUserFullName = nameof(ProcessUserUserFullName); + public static string ProcessUserTargetUserFullName = nameof(ProcessUserTargetUserFullName); /// - /// process.user.user.hash + /// process.user.target.user.hash /// Unique user hash to correlate information for a user in anonymized form. /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string ProcessUserUserHash = nameof(ProcessUserUserHash); + public static string ProcessUserTargetUserHash = nameof(ProcessUserTargetUserHash); /// - /// process.user.user.id + /// process.user.target.user.id /// Unique identifier of the user. /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string ProcessUserUserId = nameof(ProcessUserUserId); + public static string ProcessUserTargetUserId = nameof(ProcessUserTargetUserId); /// - /// process.user.user.name + /// process.user.target.user.name /// Short name or login of the user. /// a.einstein /// - public static string ProcessUserUserName = nameof(ProcessUserUserName); + public static string ProcessUserTargetUserName = nameof(ProcessUserTargetUserName); /// - /// process.process.args_count + /// parent.process.args_count /// Length of the process.args array. /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. /// 4 /// - public static string ProcessProcessArgsCount = nameof(ProcessProcessArgsCount); + public static string ParentProcessArgsCount = nameof(ParentProcessArgsCount); /// - /// process.process.command_line + /// parent.process.command_line /// Full command line that started the process, including the absolute path to the executable, and all arguments. /// Some arguments may be filtered to protect sensitive information. /// /usr/bin/ssh -l user 10.0.0.16 /// - public static string ProcessProcessCommandLine = nameof(ProcessProcessCommandLine); + public static string ParentProcessCommandLine = nameof(ParentProcessCommandLine); /// - /// process.process.end + /// parent.process.end /// The time the process ended. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessEnd = nameof(ProcessProcessEnd); + public static string ParentProcessEnd = nameof(ParentProcessEnd); /// - /// process.process.entity_id + /// parent.process.entity_id /// Unique identifier for the process. /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. /// c2c455d9f99375d /// - public static string ProcessProcessEntityId = nameof(ProcessProcessEntityId); + public static string ParentProcessEntityId = nameof(ParentProcessEntityId); /// - /// process.process.executable + /// parent.process.executable /// Absolute path to the process executable. /// /usr/bin/ssh /// - public static string ProcessProcessExecutable = nameof(ProcessProcessExecutable); + public static string ParentProcessExecutable = nameof(ParentProcessExecutable); /// - /// process.process.exit_code + /// parent.process.exit_code /// The exit code of the process, if this is a termination event. /// The field should be absent if there is no exit code for the event (e.g. process start). /// 137 /// - public static string ProcessProcessExitCode = nameof(ProcessProcessExitCode); + public static string ParentProcessExitCode = nameof(ParentProcessExitCode); /// - /// process.process.interactive + /// parent.process.interactive /// Whether the process is connected to an interactive shell. /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. /// true /// - public static string ProcessProcessInteractive = nameof(ProcessProcessInteractive); + public static string ParentProcessInteractive = nameof(ParentProcessInteractive); /// - /// process.process.name + /// parent.process.name /// Process name. /// Sometimes called program name or similar. /// ssh /// - public static string ProcessProcessName = nameof(ProcessProcessName); + public static string ParentProcessName = nameof(ParentProcessName); /// - /// process.process.pgid + /// parent.process.pgid /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. /// Identifier of the group of processes the process belongs to. /// /// - public static string ProcessProcessPgid = nameof(ProcessProcessPgid); + public static string ParentProcessPgid = nameof(ParentProcessPgid); /// - /// process.process.pid + /// parent.process.pid /// Process id. /// 4242 /// - public static string ProcessProcessPid = nameof(ProcessProcessPid); + public static string ParentProcessPid = nameof(ParentProcessPid); /// - /// process.process.start + /// parent.process.start /// The time the process started. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessStart = nameof(ProcessProcessStart); + public static string ParentProcessStart = nameof(ParentProcessStart); /// - /// process.process.thread.id + /// parent.process.thread.id /// Thread ID. /// 4242 /// - public static string ProcessProcessThreadId = nameof(ProcessProcessThreadId); + public static string ParentProcessThreadId = nameof(ParentProcessThreadId); /// - /// process.process.thread.name + /// parent.process.thread.name /// Thread name. /// thread-0 /// - public static string ProcessProcessThreadName = nameof(ProcessProcessThreadName); + public static string ParentProcessThreadName = nameof(ParentProcessThreadName); /// - /// process.process.title + /// parent.process.title /// Process title. /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. /// /// - public static string ProcessProcessTitle = nameof(ProcessProcessTitle); + public static string ParentProcessTitle = nameof(ParentProcessTitle); /// - /// process.process.uptime + /// parent.process.uptime /// Seconds the process has been up. /// 1325 /// - public static string ProcessProcessUptime = nameof(ProcessProcessUptime); + public static string ParentProcessUptime = nameof(ParentProcessUptime); /// - /// process.process.vpid + /// parent.process.vpid /// Virtual process id. /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. /// 4242 /// - public static string ProcessProcessVpid = nameof(ProcessProcessVpid); + public static string ParentProcessVpid = nameof(ParentProcessVpid); /// - /// process.process.working_directory + /// parent.process.working_directory /// The working directory of the process. /// /home/alice /// - public static string ProcessProcessWorkingDirectory = nameof(ProcessProcessWorkingDirectory); + public static string ParentProcessWorkingDirectory = nameof(ParentProcessWorkingDirectory); /// - /// process.process.parent.process.args_count + /// process.parent.group_leader.process.args_count /// Length of the process.args array. /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. /// 4 /// - public static string ProcessProcessParentProcessArgsCount = nameof(ProcessProcessParentProcessArgsCount); + public static string ProcessParentGroupLeaderProcessArgsCount = nameof(ProcessParentGroupLeaderProcessArgsCount); /// - /// process.process.parent.process.command_line + /// process.parent.group_leader.process.command_line /// Full command line that started the process, including the absolute path to the executable, and all arguments. /// Some arguments may be filtered to protect sensitive information. /// /usr/bin/ssh -l user 10.0.0.16 /// - public static string ProcessProcessParentProcessCommandLine = nameof(ProcessProcessParentProcessCommandLine); + public static string ProcessParentGroupLeaderProcessCommandLine = nameof(ProcessParentGroupLeaderProcessCommandLine); /// - /// process.process.parent.process.end + /// process.parent.group_leader.process.end /// The time the process ended. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessParentProcessEnd = nameof(ProcessProcessParentProcessEnd); + public static string ProcessParentGroupLeaderProcessEnd = nameof(ProcessParentGroupLeaderProcessEnd); /// - /// process.process.parent.process.entity_id + /// process.parent.group_leader.process.entity_id /// Unique identifier for the process. /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. /// c2c455d9f99375d /// - public static string ProcessProcessParentProcessEntityId = nameof(ProcessProcessParentProcessEntityId); + public static string ProcessParentGroupLeaderProcessEntityId = nameof(ProcessParentGroupLeaderProcessEntityId); /// - /// process.process.parent.process.executable + /// process.parent.group_leader.process.executable /// Absolute path to the process executable. /// /usr/bin/ssh /// - public static string ProcessProcessParentProcessExecutable = nameof(ProcessProcessParentProcessExecutable); + public static string ProcessParentGroupLeaderProcessExecutable = nameof(ProcessParentGroupLeaderProcessExecutable); /// - /// process.process.parent.process.exit_code + /// process.parent.group_leader.process.exit_code /// The exit code of the process, if this is a termination event. /// The field should be absent if there is no exit code for the event (e.g. process start). /// 137 /// - public static string ProcessProcessParentProcessExitCode = nameof(ProcessProcessParentProcessExitCode); + public static string ProcessParentGroupLeaderProcessExitCode = nameof(ProcessParentGroupLeaderProcessExitCode); /// - /// process.process.parent.process.interactive + /// process.parent.group_leader.process.interactive /// Whether the process is connected to an interactive shell. /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. /// true /// - public static string ProcessProcessParentProcessInteractive = nameof(ProcessProcessParentProcessInteractive); + public static string ProcessParentGroupLeaderProcessInteractive = nameof(ProcessParentGroupLeaderProcessInteractive); /// - /// process.process.parent.process.name + /// process.parent.group_leader.process.name /// Process name. /// Sometimes called program name or similar. /// ssh /// - public static string ProcessProcessParentProcessName = nameof(ProcessProcessParentProcessName); + public static string ProcessParentGroupLeaderProcessName = nameof(ProcessParentGroupLeaderProcessName); /// - /// process.process.parent.process.pgid + /// process.parent.group_leader.process.pgid /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. /// Identifier of the group of processes the process belongs to. /// /// - public static string ProcessProcessParentProcessPgid = nameof(ProcessProcessParentProcessPgid); + public static string ProcessParentGroupLeaderProcessPgid = nameof(ProcessParentGroupLeaderProcessPgid); /// - /// process.process.parent.process.pid + /// process.parent.group_leader.process.pid /// Process id. /// 4242 /// - public static string ProcessProcessParentProcessPid = nameof(ProcessProcessParentProcessPid); + public static string ProcessParentGroupLeaderProcessPid = nameof(ProcessParentGroupLeaderProcessPid); /// - /// process.process.parent.process.start + /// process.parent.group_leader.process.start /// The time the process started. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessParentProcessStart = nameof(ProcessProcessParentProcessStart); + public static string ProcessParentGroupLeaderProcessStart = nameof(ProcessParentGroupLeaderProcessStart); /// - /// process.process.parent.process.thread.id + /// process.parent.group_leader.process.thread.id /// Thread ID. /// 4242 /// - public static string ProcessProcessParentProcessThreadId = nameof(ProcessProcessParentProcessThreadId); + public static string ProcessParentGroupLeaderProcessThreadId = nameof(ProcessParentGroupLeaderProcessThreadId); /// - /// process.process.parent.process.thread.name + /// process.parent.group_leader.process.thread.name /// Thread name. /// thread-0 /// - public static string ProcessProcessParentProcessThreadName = nameof(ProcessProcessParentProcessThreadName); + public static string ProcessParentGroupLeaderProcessThreadName = nameof(ProcessParentGroupLeaderProcessThreadName); /// - /// process.process.parent.process.title + /// process.parent.group_leader.process.title /// Process title. /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. /// /// - public static string ProcessProcessParentProcessTitle = nameof(ProcessProcessParentProcessTitle); + public static string ProcessParentGroupLeaderProcessTitle = nameof(ProcessParentGroupLeaderProcessTitle); /// - /// process.process.parent.process.uptime + /// process.parent.group_leader.process.uptime /// Seconds the process has been up. /// 1325 /// - public static string ProcessProcessParentProcessUptime = nameof(ProcessProcessParentProcessUptime); + public static string ProcessParentGroupLeaderProcessUptime = nameof(ProcessParentGroupLeaderProcessUptime); /// - /// process.process.parent.process.vpid + /// process.parent.group_leader.process.vpid /// Virtual process id. /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. /// 4242 /// - public static string ProcessProcessParentProcessVpid = nameof(ProcessProcessParentProcessVpid); + public static string ProcessParentGroupLeaderProcessVpid = nameof(ProcessParentGroupLeaderProcessVpid); /// - /// process.process.parent.process.working_directory + /// process.parent.group_leader.process.working_directory /// The working directory of the process. /// /home/alice /// - public static string ProcessProcessParentProcessWorkingDirectory = nameof(ProcessProcessParentProcessWorkingDirectory); + public static string ProcessParentGroupLeaderProcessWorkingDirectory = nameof(ProcessParentGroupLeaderProcessWorkingDirectory); /// - /// process.process.entry_leader.process.args_count + /// process.entry_leader.parent.process.args_count /// Length of the process.args array. /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. /// 4 /// - public static string ProcessProcessEntryLeaderProcessArgsCount = nameof(ProcessProcessEntryLeaderProcessArgsCount); + public static string ProcessEntryLeaderParentProcessArgsCount = nameof(ProcessEntryLeaderParentProcessArgsCount); /// - /// process.process.entry_leader.process.command_line + /// process.entry_leader.parent.process.command_line /// Full command line that started the process, including the absolute path to the executable, and all arguments. /// Some arguments may be filtered to protect sensitive information. /// /usr/bin/ssh -l user 10.0.0.16 /// - public static string ProcessProcessEntryLeaderProcessCommandLine = nameof(ProcessProcessEntryLeaderProcessCommandLine); + public static string ProcessEntryLeaderParentProcessCommandLine = nameof(ProcessEntryLeaderParentProcessCommandLine); /// - /// process.process.entry_leader.process.end + /// process.entry_leader.parent.process.end /// The time the process ended. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessEntryLeaderProcessEnd = nameof(ProcessProcessEntryLeaderProcessEnd); + public static string ProcessEntryLeaderParentProcessEnd = nameof(ProcessEntryLeaderParentProcessEnd); /// - /// process.process.entry_leader.process.entity_id + /// process.entry_leader.parent.process.entity_id /// Unique identifier for the process. /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. /// c2c455d9f99375d /// - public static string ProcessProcessEntryLeaderProcessEntityId = nameof(ProcessProcessEntryLeaderProcessEntityId); + public static string ProcessEntryLeaderParentProcessEntityId = nameof(ProcessEntryLeaderParentProcessEntityId); /// - /// process.process.entry_leader.process.executable + /// process.entry_leader.parent.process.executable /// Absolute path to the process executable. /// /usr/bin/ssh /// - public static string ProcessProcessEntryLeaderProcessExecutable = nameof(ProcessProcessEntryLeaderProcessExecutable); + public static string ProcessEntryLeaderParentProcessExecutable = nameof(ProcessEntryLeaderParentProcessExecutable); /// - /// process.process.entry_leader.process.exit_code + /// process.entry_leader.parent.process.exit_code /// The exit code of the process, if this is a termination event. /// The field should be absent if there is no exit code for the event (e.g. process start). /// 137 /// - public static string ProcessProcessEntryLeaderProcessExitCode = nameof(ProcessProcessEntryLeaderProcessExitCode); + public static string ProcessEntryLeaderParentProcessExitCode = nameof(ProcessEntryLeaderParentProcessExitCode); /// - /// process.process.entry_leader.process.interactive + /// process.entry_leader.parent.process.interactive /// Whether the process is connected to an interactive shell. /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. /// true /// - public static string ProcessProcessEntryLeaderProcessInteractive = nameof(ProcessProcessEntryLeaderProcessInteractive); + public static string ProcessEntryLeaderParentProcessInteractive = nameof(ProcessEntryLeaderParentProcessInteractive); /// - /// process.process.entry_leader.process.name + /// process.entry_leader.parent.process.name /// Process name. /// Sometimes called program name or similar. /// ssh /// - public static string ProcessProcessEntryLeaderProcessName = nameof(ProcessProcessEntryLeaderProcessName); + public static string ProcessEntryLeaderParentProcessName = nameof(ProcessEntryLeaderParentProcessName); /// - /// process.process.entry_leader.process.pgid + /// process.entry_leader.parent.process.pgid /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. /// Identifier of the group of processes the process belongs to. /// /// - public static string ProcessProcessEntryLeaderProcessPgid = nameof(ProcessProcessEntryLeaderProcessPgid); + public static string ProcessEntryLeaderParentProcessPgid = nameof(ProcessEntryLeaderParentProcessPgid); /// - /// process.process.entry_leader.process.pid + /// process.entry_leader.parent.process.pid /// Process id. /// 4242 /// - public static string ProcessProcessEntryLeaderProcessPid = nameof(ProcessProcessEntryLeaderProcessPid); + public static string ProcessEntryLeaderParentProcessPid = nameof(ProcessEntryLeaderParentProcessPid); /// - /// process.process.entry_leader.process.start + /// process.entry_leader.parent.process.start /// The time the process started. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessEntryLeaderProcessStart = nameof(ProcessProcessEntryLeaderProcessStart); + public static string ProcessEntryLeaderParentProcessStart = nameof(ProcessEntryLeaderParentProcessStart); /// - /// process.process.entry_leader.process.thread.id + /// process.entry_leader.parent.process.thread.id /// Thread ID. /// 4242 /// - public static string ProcessProcessEntryLeaderProcessThreadId = nameof(ProcessProcessEntryLeaderProcessThreadId); + public static string ProcessEntryLeaderParentProcessThreadId = nameof(ProcessEntryLeaderParentProcessThreadId); /// - /// process.process.entry_leader.process.thread.name + /// process.entry_leader.parent.process.thread.name /// Thread name. /// thread-0 /// - public static string ProcessProcessEntryLeaderProcessThreadName = nameof(ProcessProcessEntryLeaderProcessThreadName); + public static string ProcessEntryLeaderParentProcessThreadName = nameof(ProcessEntryLeaderParentProcessThreadName); /// - /// process.process.entry_leader.process.title + /// process.entry_leader.parent.process.title /// Process title. /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. /// /// - public static string ProcessProcessEntryLeaderProcessTitle = nameof(ProcessProcessEntryLeaderProcessTitle); + public static string ProcessEntryLeaderParentProcessTitle = nameof(ProcessEntryLeaderParentProcessTitle); /// - /// process.process.entry_leader.process.uptime + /// process.entry_leader.parent.process.uptime /// Seconds the process has been up. /// 1325 /// - public static string ProcessProcessEntryLeaderProcessUptime = nameof(ProcessProcessEntryLeaderProcessUptime); + public static string ProcessEntryLeaderParentProcessUptime = nameof(ProcessEntryLeaderParentProcessUptime); /// - /// process.process.entry_leader.process.vpid + /// process.entry_leader.parent.process.vpid /// Virtual process id. /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. /// 4242 /// - public static string ProcessProcessEntryLeaderProcessVpid = nameof(ProcessProcessEntryLeaderProcessVpid); + public static string ProcessEntryLeaderParentProcessVpid = nameof(ProcessEntryLeaderParentProcessVpid); /// - /// process.process.entry_leader.process.working_directory + /// process.entry_leader.parent.process.working_directory /// The working directory of the process. /// /home/alice /// - public static string ProcessProcessEntryLeaderProcessWorkingDirectory = nameof(ProcessProcessEntryLeaderProcessWorkingDirectory); + public static string ProcessEntryLeaderParentProcessWorkingDirectory = nameof(ProcessEntryLeaderParentProcessWorkingDirectory); /// - /// process.process.entry_leader.process.entry_leader.parent.process.args_count + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.args_count /// Length of the process.args array. /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. /// 4 /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount); /// - /// process.process.entry_leader.process.entry_leader.parent.process.command_line + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.command_line /// Full command line that started the process, including the absolute path to the executable, and all arguments. /// Some arguments may be filtered to protect sensitive information. /// /usr/bin/ssh -l user 10.0.0.16 /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine); /// - /// process.process.entry_leader.process.entry_leader.parent.process.end + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.end /// The time the process ended. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd); /// - /// process.process.entry_leader.process.entry_leader.parent.process.entity_id + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.entity_id /// Unique identifier for the process. /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. /// c2c455d9f99375d /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId); /// - /// process.process.entry_leader.process.entry_leader.parent.process.executable + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.executable /// Absolute path to the process executable. /// /usr/bin/ssh /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable); /// - /// process.process.entry_leader.process.entry_leader.parent.process.exit_code + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.exit_code /// The exit code of the process, if this is a termination event. /// The field should be absent if there is no exit code for the event (e.g. process start). /// 137 /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode); /// - /// process.process.entry_leader.process.entry_leader.parent.process.interactive + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.interactive /// Whether the process is connected to an interactive shell. /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. /// true /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive); /// - /// process.process.entry_leader.process.entry_leader.parent.process.name + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.name /// Process name. /// Sometimes called program name or similar. /// ssh /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName); /// - /// process.process.entry_leader.process.entry_leader.parent.process.pgid + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.pgid /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. /// Identifier of the group of processes the process belongs to. /// /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid); /// - /// process.process.entry_leader.process.entry_leader.parent.process.pid + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.pid /// Process id. /// 4242 /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid); /// - /// process.process.entry_leader.process.entry_leader.parent.process.start + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.start /// The time the process started. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart); /// - /// process.process.entry_leader.process.entry_leader.parent.process.thread.id + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.id /// Thread ID. /// 4242 /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId); /// - /// process.process.entry_leader.process.entry_leader.parent.process.thread.name + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.name /// Thread name. /// thread-0 /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName); /// - /// process.process.entry_leader.process.entry_leader.parent.process.title + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.title /// Process title. /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. /// /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle); /// - /// process.process.entry_leader.process.entry_leader.parent.process.uptime + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.uptime /// Seconds the process has been up. /// 1325 /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime); /// - /// process.process.entry_leader.process.entry_leader.parent.process.vpid + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.vpid /// Virtual process id. /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. /// 4242 /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid); /// - /// process.process.entry_leader.process.entry_leader.parent.process.working_directory + /// entry_leader.process.parent.entry_leader.parent.session_leader.process.working_directory /// The working directory of the process. /// /home/alice /// - public static string ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory = nameof(ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory); + public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory); /// - /// process.process.session_leader.process.args_count + /// process.session_leader.parent.process.args_count /// Length of the process.args array. /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. /// 4 /// - public static string ProcessProcessSessionLeaderProcessArgsCount = nameof(ProcessProcessSessionLeaderProcessArgsCount); + public static string ProcessSessionLeaderParentProcessArgsCount = nameof(ProcessSessionLeaderParentProcessArgsCount); /// - /// process.process.session_leader.process.command_line + /// process.session_leader.parent.process.command_line /// Full command line that started the process, including the absolute path to the executable, and all arguments. /// Some arguments may be filtered to protect sensitive information. /// /usr/bin/ssh -l user 10.0.0.16 /// - public static string ProcessProcessSessionLeaderProcessCommandLine = nameof(ProcessProcessSessionLeaderProcessCommandLine); + public static string ProcessSessionLeaderParentProcessCommandLine = nameof(ProcessSessionLeaderParentProcessCommandLine); /// - /// process.process.session_leader.process.end + /// process.session_leader.parent.process.end /// The time the process ended. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessSessionLeaderProcessEnd = nameof(ProcessProcessSessionLeaderProcessEnd); + public static string ProcessSessionLeaderParentProcessEnd = nameof(ProcessSessionLeaderParentProcessEnd); /// - /// process.process.session_leader.process.entity_id + /// process.session_leader.parent.process.entity_id /// Unique identifier for the process. /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. /// c2c455d9f99375d /// - public static string ProcessProcessSessionLeaderProcessEntityId = nameof(ProcessProcessSessionLeaderProcessEntityId); + public static string ProcessSessionLeaderParentProcessEntityId = nameof(ProcessSessionLeaderParentProcessEntityId); /// - /// process.process.session_leader.process.executable + /// process.session_leader.parent.process.executable /// Absolute path to the process executable. /// /usr/bin/ssh /// - public static string ProcessProcessSessionLeaderProcessExecutable = nameof(ProcessProcessSessionLeaderProcessExecutable); + public static string ProcessSessionLeaderParentProcessExecutable = nameof(ProcessSessionLeaderParentProcessExecutable); /// - /// process.process.session_leader.process.exit_code + /// process.session_leader.parent.process.exit_code /// The exit code of the process, if this is a termination event. /// The field should be absent if there is no exit code for the event (e.g. process start). /// 137 /// - public static string ProcessProcessSessionLeaderProcessExitCode = nameof(ProcessProcessSessionLeaderProcessExitCode); + public static string ProcessSessionLeaderParentProcessExitCode = nameof(ProcessSessionLeaderParentProcessExitCode); /// - /// process.process.session_leader.process.interactive + /// process.session_leader.parent.process.interactive /// Whether the process is connected to an interactive shell. /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. /// true /// - public static string ProcessProcessSessionLeaderProcessInteractive = nameof(ProcessProcessSessionLeaderProcessInteractive); + public static string ProcessSessionLeaderParentProcessInteractive = nameof(ProcessSessionLeaderParentProcessInteractive); /// - /// process.process.session_leader.process.name + /// process.session_leader.parent.process.name /// Process name. /// Sometimes called program name or similar. /// ssh /// - public static string ProcessProcessSessionLeaderProcessName = nameof(ProcessProcessSessionLeaderProcessName); + public static string ProcessSessionLeaderParentProcessName = nameof(ProcessSessionLeaderParentProcessName); /// - /// process.process.session_leader.process.pgid + /// process.session_leader.parent.process.pgid /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. /// Identifier of the group of processes the process belongs to. /// /// - public static string ProcessProcessSessionLeaderProcessPgid = nameof(ProcessProcessSessionLeaderProcessPgid); + public static string ProcessSessionLeaderParentProcessPgid = nameof(ProcessSessionLeaderParentProcessPgid); /// - /// process.process.session_leader.process.pid + /// process.session_leader.parent.process.pid /// Process id. /// 4242 /// - public static string ProcessProcessSessionLeaderProcessPid = nameof(ProcessProcessSessionLeaderProcessPid); + public static string ProcessSessionLeaderParentProcessPid = nameof(ProcessSessionLeaderParentProcessPid); /// - /// process.process.session_leader.process.start + /// process.session_leader.parent.process.start /// The time the process started. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessSessionLeaderProcessStart = nameof(ProcessProcessSessionLeaderProcessStart); + public static string ProcessSessionLeaderParentProcessStart = nameof(ProcessSessionLeaderParentProcessStart); /// - /// process.process.session_leader.process.thread.id + /// process.session_leader.parent.process.thread.id /// Thread ID. /// 4242 /// - public static string ProcessProcessSessionLeaderProcessThreadId = nameof(ProcessProcessSessionLeaderProcessThreadId); + public static string ProcessSessionLeaderParentProcessThreadId = nameof(ProcessSessionLeaderParentProcessThreadId); /// - /// process.process.session_leader.process.thread.name + /// process.session_leader.parent.process.thread.name /// Thread name. /// thread-0 /// - public static string ProcessProcessSessionLeaderProcessThreadName = nameof(ProcessProcessSessionLeaderProcessThreadName); + public static string ProcessSessionLeaderParentProcessThreadName = nameof(ProcessSessionLeaderParentProcessThreadName); /// - /// process.process.session_leader.process.title + /// process.session_leader.parent.process.title /// Process title. /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. /// /// - public static string ProcessProcessSessionLeaderProcessTitle = nameof(ProcessProcessSessionLeaderProcessTitle); + public static string ProcessSessionLeaderParentProcessTitle = nameof(ProcessSessionLeaderParentProcessTitle); /// - /// process.process.session_leader.process.uptime + /// process.session_leader.parent.process.uptime /// Seconds the process has been up. /// 1325 /// - public static string ProcessProcessSessionLeaderProcessUptime = nameof(ProcessProcessSessionLeaderProcessUptime); + public static string ProcessSessionLeaderParentProcessUptime = nameof(ProcessSessionLeaderParentProcessUptime); /// - /// process.process.session_leader.process.vpid + /// process.session_leader.parent.process.vpid /// Virtual process id. /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. /// 4242 /// - public static string ProcessProcessSessionLeaderProcessVpid = nameof(ProcessProcessSessionLeaderProcessVpid); + public static string ProcessSessionLeaderParentProcessVpid = nameof(ProcessSessionLeaderParentProcessVpid); /// - /// process.process.session_leader.process.working_directory + /// process.session_leader.parent.process.working_directory /// The working directory of the process. /// /home/alice /// - public static string ProcessProcessSessionLeaderProcessWorkingDirectory = nameof(ProcessProcessSessionLeaderProcessWorkingDirectory); + public static string ProcessSessionLeaderParentProcessWorkingDirectory = nameof(ProcessSessionLeaderParentProcessWorkingDirectory); /// - /// process.process.session_leader.process.session_leader.parent.process.args_count + /// session_leader.process.parent.session_leader.parent.session_leader.process.args_count /// Length of the process.args array. /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. /// 4 /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount); /// - /// process.process.session_leader.process.session_leader.parent.process.command_line + /// session_leader.process.parent.session_leader.parent.session_leader.process.command_line /// Full command line that started the process, including the absolute path to the executable, and all arguments. /// Some arguments may be filtered to protect sensitive information. /// /usr/bin/ssh -l user 10.0.0.16 /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine); /// - /// process.process.session_leader.process.session_leader.parent.process.end + /// session_leader.process.parent.session_leader.parent.session_leader.process.end /// The time the process ended. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd); /// - /// process.process.session_leader.process.session_leader.parent.process.entity_id + /// session_leader.process.parent.session_leader.parent.session_leader.process.entity_id /// Unique identifier for the process. /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. /// c2c455d9f99375d /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId); /// - /// process.process.session_leader.process.session_leader.parent.process.executable + /// session_leader.process.parent.session_leader.parent.session_leader.process.executable /// Absolute path to the process executable. /// /usr/bin/ssh /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable); /// - /// process.process.session_leader.process.session_leader.parent.process.exit_code + /// session_leader.process.parent.session_leader.parent.session_leader.process.exit_code /// The exit code of the process, if this is a termination event. /// The field should be absent if there is no exit code for the event (e.g. process start). /// 137 /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode); /// - /// process.process.session_leader.process.session_leader.parent.process.interactive + /// session_leader.process.parent.session_leader.parent.session_leader.process.interactive /// Whether the process is connected to an interactive shell. /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. /// true /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive); /// - /// process.process.session_leader.process.session_leader.parent.process.name + /// session_leader.process.parent.session_leader.parent.session_leader.process.name /// Process name. /// Sometimes called program name or similar. /// ssh /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName); /// - /// process.process.session_leader.process.session_leader.parent.process.pgid + /// session_leader.process.parent.session_leader.parent.session_leader.process.pgid /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. /// Identifier of the group of processes the process belongs to. /// /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid); /// - /// process.process.session_leader.process.session_leader.parent.process.pid + /// session_leader.process.parent.session_leader.parent.session_leader.process.pid /// Process id. /// 4242 /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid); /// - /// process.process.session_leader.process.session_leader.parent.process.start + /// session_leader.process.parent.session_leader.parent.session_leader.process.start /// The time the process started. /// 5/23/2016 8:05:34 AM /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart); /// - /// process.process.session_leader.process.session_leader.parent.process.thread.id + /// session_leader.process.parent.session_leader.parent.session_leader.process.thread.id /// Thread ID. /// 4242 /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId); /// - /// process.process.session_leader.process.session_leader.parent.process.thread.name + /// session_leader.process.parent.session_leader.parent.session_leader.process.thread.name /// Thread name. /// thread-0 /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName); /// - /// process.process.session_leader.process.session_leader.parent.process.title + /// session_leader.process.parent.session_leader.parent.session_leader.process.title /// Process title. /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. /// /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle); /// - /// process.process.session_leader.process.session_leader.parent.process.uptime + /// session_leader.process.parent.session_leader.parent.session_leader.process.uptime /// Seconds the process has been up. /// 1325 /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime); /// - /// process.process.session_leader.process.session_leader.parent.process.vpid + /// session_leader.process.parent.session_leader.parent.session_leader.process.vpid /// Virtual process id. /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. /// 4242 /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid); /// - /// process.process.session_leader.process.session_leader.parent.process.working_directory + /// session_leader.process.parent.session_leader.parent.session_leader.process.working_directory /// The working directory of the process. /// /home/alice /// - public static string ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory = nameof(ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory); + public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory); /// /// registry.data.bytes /// Original bytes written with base64 encoding. @@ -5516,43 +5516,43 @@ public static class LogTemplateProperties /// public static string ServerUserRiskStaticScoreNorm = nameof(ServerUserRiskStaticScoreNorm); /// - /// server.user.user.domain + /// server.user.target.user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string ServerUserUserDomain = nameof(ServerUserUserDomain); + public static string ServerUserTargetUserDomain = nameof(ServerUserTargetUserDomain); /// - /// server.user.user.email + /// server.user.target.user.email /// User email address. /// /// - public static string ServerUserUserEmail = nameof(ServerUserUserEmail); + public static string ServerUserTargetUserEmail = nameof(ServerUserTargetUserEmail); /// - /// server.user.user.full_name + /// server.user.target.user.full_name /// User's full name, if available. /// Albert Einstein /// - public static string ServerUserUserFullName = nameof(ServerUserUserFullName); + public static string ServerUserTargetUserFullName = nameof(ServerUserTargetUserFullName); /// - /// server.user.user.hash + /// server.user.target.user.hash /// Unique user hash to correlate information for a user in anonymized form. /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string ServerUserUserHash = nameof(ServerUserUserHash); + public static string ServerUserTargetUserHash = nameof(ServerUserTargetUserHash); /// - /// server.user.user.id + /// server.user.target.user.id /// Unique identifier of the user. /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string ServerUserUserId = nameof(ServerUserUserId); + public static string ServerUserTargetUserId = nameof(ServerUserTargetUserId); /// - /// server.user.user.name + /// server.user.target.user.name /// Short name or login of the user. /// a.einstein /// - public static string ServerUserUserName = nameof(ServerUserUserName); + public static string ServerUserTargetUserName = nameof(ServerUserTargetUserName); /// /// service.address /// Address where data about this service was collected from. @@ -5632,53 +5632,53 @@ public static class LogTemplateProperties /// public static string ServiceVersion = nameof(ServiceVersion); /// - /// service.service.address + /// origin.service.address /// Address where data about this service was collected from. /// This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). /// 172.26.0.2:5432 /// - public static string ServiceServiceAddress = nameof(ServiceServiceAddress); + public static string OriginServiceAddress = nameof(OriginServiceAddress); /// - /// service.service.environment + /// origin.service.environment /// Identifies the environment where the service is running. /// If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. ///
This field is beta and subject to change. /// production /// - public static string ServiceServiceEnvironment = nameof(ServiceServiceEnvironment); + public static string OriginServiceEnvironment = nameof(OriginServiceEnvironment); /// - /// service.service.ephemeral_id + /// origin.service.ephemeral_id /// Ephemeral identifier of this service (if one exists). /// This id normally changes across restarts, but `service.id` does not. /// 8a4f500f /// - public static string ServiceServiceEphemeralId = nameof(ServiceServiceEphemeralId); + public static string OriginServiceEphemeralId = nameof(OriginServiceEphemeralId); /// - /// service.service.id + /// origin.service.id /// Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. /// This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. /// Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. /// d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 /// - public static string ServiceServiceId = nameof(ServiceServiceId); + public static string OriginServiceId = nameof(OriginServiceId); /// - /// service.service.name + /// origin.service.name /// Name of the service data is collected from. /// The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. /// In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. /// elasticsearch-metrics /// - public static string ServiceServiceName = nameof(ServiceServiceName); + public static string OriginServiceName = nameof(OriginServiceName); /// - /// service.service.node.name + /// origin.service.node.name /// Name of a service node. /// This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. /// In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. /// instance-0000000016 /// - public static string ServiceServiceNodeName = nameof(ServiceServiceNodeName); + public static string OriginServiceNodeName = nameof(OriginServiceNodeName); /// - /// service.service.node.role + /// origin.service.node.role /// Deprecated for removal in next major version release. This field will be superseded by `node.roles`. /// Role of a service node. /// This allows for distinction between different running roles of the same service. @@ -5687,28 +5687,28 @@ public static class LogTemplateProperties /// Other services could use this to distinguish between a `web` and `worker` role running as part of the service. /// background_tasks /// - public static string ServiceServiceNodeRole = nameof(ServiceServiceNodeRole); + public static string OriginServiceNodeRole = nameof(OriginServiceNodeRole); /// - /// service.service.state + /// origin.service.state /// Current state of the service. /// /// - public static string ServiceServiceState = nameof(ServiceServiceState); + public static string OriginServiceState = nameof(OriginServiceState); /// - /// service.service.type + /// origin.service.type /// The type of the service data is collected from. /// The type can be used to group and correlate logs and metrics from one service type. /// Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. /// elasticsearch /// - public static string ServiceServiceType = nameof(ServiceServiceType); + public static string OriginServiceType = nameof(OriginServiceType); /// - /// service.service.version + /// origin.service.version /// Version of the service the data was collected from. /// This allows to look at a data set only for a specific version of a service. /// 3.2.4 /// - public static string ServiceServiceVersion = nameof(ServiceServiceVersion); + public static string OriginServiceVersion = nameof(OriginServiceVersion); /// /// source.address /// Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. @@ -5960,43 +5960,43 @@ public static class LogTemplateProperties /// public static string SourceUserRiskStaticScoreNorm = nameof(SourceUserRiskStaticScoreNorm); /// - /// source.user.user.domain + /// source.user.target.user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string SourceUserUserDomain = nameof(SourceUserUserDomain); + public static string SourceUserTargetUserDomain = nameof(SourceUserTargetUserDomain); /// - /// source.user.user.email + /// source.user.target.user.email /// User email address. /// /// - public static string SourceUserUserEmail = nameof(SourceUserUserEmail); + public static string SourceUserTargetUserEmail = nameof(SourceUserTargetUserEmail); /// - /// source.user.user.full_name + /// source.user.target.user.full_name /// User's full name, if available. /// Albert Einstein /// - public static string SourceUserUserFullName = nameof(SourceUserUserFullName); + public static string SourceUserTargetUserFullName = nameof(SourceUserTargetUserFullName); /// - /// source.user.user.hash + /// source.user.target.user.hash /// Unique user hash to correlate information for a user in anonymized form. /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string SourceUserUserHash = nameof(SourceUserUserHash); + public static string SourceUserTargetUserHash = nameof(SourceUserTargetUserHash); /// - /// source.user.user.id + /// source.user.target.user.id /// Unique identifier of the user. /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string SourceUserUserId = nameof(SourceUserUserId); + public static string SourceUserTargetUserId = nameof(SourceUserTargetUserId); /// - /// source.user.user.name + /// source.user.target.user.name /// Short name or login of the user. /// a.einstein /// - public static string SourceUserUserName = nameof(SourceUserUserName); + public static string SourceUserTargetUserName = nameof(SourceUserTargetUserName); /// /// threat.feed.dashboard_id /// The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. @@ -6216,870 +6216,870 @@ public static class LogTemplateProperties /// public static string ThreatSoftwareType = nameof(ThreatSoftwareType); /// - /// threat.x509.issuer.distinguished_name + /// threat.indicator.x509.issuer.distinguished_name /// Distinguished name (DN) of issuing certificate authority. /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA /// - public static string ThreatX509IssuerDistinguishedName = nameof(ThreatX509IssuerDistinguishedName); + public static string ThreatIndicatorX509IssuerDistinguishedName = nameof(ThreatIndicatorX509IssuerDistinguishedName); /// - /// threat.x509.not_after + /// threat.indicator.x509.not_after /// Time at which the certificate is no longer considered valid. /// 7/16/2020 3:15:39 AM /// - public static string ThreatX509NotAfter = nameof(ThreatX509NotAfter); + public static string ThreatIndicatorX509NotAfter = nameof(ThreatIndicatorX509NotAfter); /// - /// threat.x509.not_before + /// threat.indicator.x509.not_before /// Time at which the certificate is first considered valid. /// 8/16/2019 1:40:25 AM /// - public static string ThreatX509NotBefore = nameof(ThreatX509NotBefore); + public static string ThreatIndicatorX509NotBefore = nameof(ThreatIndicatorX509NotBefore); /// - /// threat.x509.public_key_algorithm + /// threat.indicator.x509.public_key_algorithm /// Algorithm used to generate the public key. /// RSA /// - public static string ThreatX509PublicKeyAlgorithm = nameof(ThreatX509PublicKeyAlgorithm); + public static string ThreatIndicatorX509PublicKeyAlgorithm = nameof(ThreatIndicatorX509PublicKeyAlgorithm); /// - /// threat.x509.public_key_curve + /// threat.indicator.x509.public_key_curve /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. /// nistp521 /// - public static string ThreatX509PublicKeyCurve = nameof(ThreatX509PublicKeyCurve); + public static string ThreatIndicatorX509PublicKeyCurve = nameof(ThreatIndicatorX509PublicKeyCurve); /// - /// threat.x509.public_key_exponent + /// threat.indicator.x509.public_key_exponent /// Exponent used to derive the public key. This is algorithm specific. ///
Stored but not available for search in Elasticsearch by default /// 65537 /// - public static string ThreatX509PublicKeyExponent = nameof(ThreatX509PublicKeyExponent); + public static string ThreatIndicatorX509PublicKeyExponent = nameof(ThreatIndicatorX509PublicKeyExponent); /// - /// threat.x509.public_key_size + /// threat.indicator.x509.public_key_size /// The size of the public key space in bits. /// 2048 /// - public static string ThreatX509PublicKeySize = nameof(ThreatX509PublicKeySize); + public static string ThreatIndicatorX509PublicKeySize = nameof(ThreatIndicatorX509PublicKeySize); /// - /// threat.x509.serial_number + /// threat.indicator.x509.serial_number /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. /// 55FBB9C7DEBF09809D12CCAA /// - public static string ThreatX509SerialNumber = nameof(ThreatX509SerialNumber); + public static string ThreatIndicatorX509SerialNumber = nameof(ThreatIndicatorX509SerialNumber); /// - /// threat.x509.signature_algorithm + /// threat.indicator.x509.signature_algorithm /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. /// SHA256-RSA /// - public static string ThreatX509SignatureAlgorithm = nameof(ThreatX509SignatureAlgorithm); + public static string ThreatIndicatorX509SignatureAlgorithm = nameof(ThreatIndicatorX509SignatureAlgorithm); /// - /// threat.x509.subject.distinguished_name + /// threat.indicator.x509.subject.distinguished_name /// Distinguished name (DN) of the certificate subject entity. /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net /// - public static string ThreatX509SubjectDistinguishedName = nameof(ThreatX509SubjectDistinguishedName); + public static string ThreatIndicatorX509SubjectDistinguishedName = nameof(ThreatIndicatorX509SubjectDistinguishedName); /// - /// threat.x509.version_number + /// threat.indicator.x509.version_number /// Version of x509 format. /// 3 /// - public static string ThreatX509VersionNumber = nameof(ThreatX509VersionNumber); + public static string ThreatIndicatorX509VersionNumber = nameof(ThreatIndicatorX509VersionNumber); /// - /// threat.as.number + /// threat.indicator.as.number /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. /// 15169 /// - public static string ThreatAsNumber = nameof(ThreatAsNumber); + public static string ThreatIndicatorAsNumber = nameof(ThreatIndicatorAsNumber); /// - /// threat.as.organization.name + /// threat.indicator.as.organization.name /// Organization name. /// Google LLC /// - public static string ThreatAsOrganizationName = nameof(ThreatAsOrganizationName); + public static string ThreatIndicatorAsOrganizationName = nameof(ThreatIndicatorAsOrganizationName); /// - /// threat.file.accessed + /// threat.indicator.file.accessed /// Last time the file was accessed. /// Note that not all filesystems keep track of access time. /// /// - public static string ThreatFileAccessed = nameof(ThreatFileAccessed); + public static string ThreatIndicatorFileAccessed = nameof(ThreatIndicatorFileAccessed); /// - /// threat.file.created + /// threat.indicator.file.created /// File creation time. /// Note that not all filesystems store the creation time. /// /// - public static string ThreatFileCreated = nameof(ThreatFileCreated); + public static string ThreatIndicatorFileCreated = nameof(ThreatIndicatorFileCreated); /// - /// threat.file.ctime + /// threat.indicator.file.ctime /// Last time the file attributes or metadata changed. /// Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. /// /// - public static string ThreatFileCtime = nameof(ThreatFileCtime); + public static string ThreatIndicatorFileCtime = nameof(ThreatIndicatorFileCtime); /// - /// threat.file.device + /// threat.indicator.file.device /// Device that is the source of the file. /// sda /// - public static string ThreatFileDevice = nameof(ThreatFileDevice); + public static string ThreatIndicatorFileDevice = nameof(ThreatIndicatorFileDevice); /// - /// threat.file.directory + /// threat.indicator.file.directory /// Directory where the file is located. It should include the drive letter, when appropriate. /// /home/alice /// - public static string ThreatFileDirectory = nameof(ThreatFileDirectory); + public static string ThreatIndicatorFileDirectory = nameof(ThreatIndicatorFileDirectory); /// - /// threat.file.drive_letter + /// threat.indicator.file.drive_letter /// Drive letter where the file is located. This field is only relevant on Windows. /// The value should be uppercase, and not include the colon. /// C /// - public static string ThreatFileDriveLetter = nameof(ThreatFileDriveLetter); + public static string ThreatIndicatorFileDriveLetter = nameof(ThreatIndicatorFileDriveLetter); /// - /// threat.file.extension + /// threat.indicator.file.extension /// File extension, excluding the leading dot. /// Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). /// png /// - public static string ThreatFileExtension = nameof(ThreatFileExtension); + public static string ThreatIndicatorFileExtension = nameof(ThreatIndicatorFileExtension); /// - /// threat.file.fork_name + /// threat.indicator.file.fork_name /// A fork is additional data associated with a filesystem object. /// On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. /// On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. /// Zone.Identifer /// - public static string ThreatFileForkName = nameof(ThreatFileForkName); + public static string ThreatIndicatorFileForkName = nameof(ThreatIndicatorFileForkName); /// - /// threat.file.gid + /// threat.indicator.file.gid /// Primary group ID (GID) of the file. /// 1001 /// - public static string ThreatFileGid = nameof(ThreatFileGid); + public static string ThreatIndicatorFileGid = nameof(ThreatIndicatorFileGid); /// - /// threat.file.group + /// threat.indicator.file.group /// Primary group name of the file. /// alice /// - public static string ThreatFileGroup = nameof(ThreatFileGroup); + public static string ThreatIndicatorFileGroup = nameof(ThreatIndicatorFileGroup); /// - /// threat.file.inode + /// threat.indicator.file.inode /// Inode representing the file in the filesystem. /// 256383 /// - public static string ThreatFileInode = nameof(ThreatFileInode); + public static string ThreatIndicatorFileInode = nameof(ThreatIndicatorFileInode); /// - /// threat.file.mime_type + /// threat.indicator.file.mime_type /// MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. /// /// - public static string ThreatFileMimeType = nameof(ThreatFileMimeType); + public static string ThreatIndicatorFileMimeType = nameof(ThreatIndicatorFileMimeType); /// - /// threat.file.mode + /// threat.indicator.file.mode /// Mode of the file in octal representation. /// 0640 /// - public static string ThreatFileMode = nameof(ThreatFileMode); + public static string ThreatIndicatorFileMode = nameof(ThreatIndicatorFileMode); /// - /// threat.file.mtime + /// threat.indicator.file.mtime /// Last time the file content was modified. /// /// - public static string ThreatFileMtime = nameof(ThreatFileMtime); + public static string ThreatIndicatorFileMtime = nameof(ThreatIndicatorFileMtime); /// - /// threat.file.name + /// threat.indicator.file.name /// Name of the file including the extension, without the directory. /// example.png /// - public static string ThreatFileName = nameof(ThreatFileName); + public static string ThreatIndicatorFileName = nameof(ThreatIndicatorFileName); /// - /// threat.file.owner + /// threat.indicator.file.owner /// File owner's username. /// alice /// - public static string ThreatFileOwner = nameof(ThreatFileOwner); + public static string ThreatIndicatorFileOwner = nameof(ThreatIndicatorFileOwner); /// - /// threat.file.path + /// threat.indicator.file.path /// Full path to the file, including the file name. It should include the drive letter, when appropriate. /// /home/alice/example.png /// - public static string ThreatFilePath = nameof(ThreatFilePath); + public static string ThreatIndicatorFilePath = nameof(ThreatIndicatorFilePath); /// - /// threat.file.size + /// threat.indicator.file.size /// File size in bytes. /// Only relevant when `file.type` is "file". /// 16384 /// - public static string ThreatFileSize = nameof(ThreatFileSize); + public static string ThreatIndicatorFileSize = nameof(ThreatIndicatorFileSize); /// - /// threat.file.target_path + /// threat.indicator.file.target_path /// Target path for symlinks. /// /// - public static string ThreatFileTargetPath = nameof(ThreatFileTargetPath); + public static string ThreatIndicatorFileTargetPath = nameof(ThreatIndicatorFileTargetPath); /// - /// threat.file.type + /// threat.indicator.file.type /// File type (file, dir, or symlink). /// file /// - public static string ThreatFileType = nameof(ThreatFileType); + public static string ThreatIndicatorFileType = nameof(ThreatIndicatorFileType); /// - /// threat.file.uid + /// threat.indicator.file.uid /// The user ID (UID) or security identifier (SID) of the file owner. /// 1001 /// - public static string ThreatFileUid = nameof(ThreatFileUid); + public static string ThreatIndicatorFileUid = nameof(ThreatIndicatorFileUid); /// - /// threat.file.hash.md5 + /// threat.indicator.file.hash.md5 /// MD5 hash. /// /// - public static string ThreatFileHashMd5 = nameof(ThreatFileHashMd5); + public static string ThreatIndicatorFileHashMd5 = nameof(ThreatIndicatorFileHashMd5); /// - /// threat.file.hash.sha1 + /// threat.indicator.file.hash.sha1 /// SHA1 hash. /// /// - public static string ThreatFileHashSha1 = nameof(ThreatFileHashSha1); + public static string ThreatIndicatorFileHashSha1 = nameof(ThreatIndicatorFileHashSha1); /// - /// threat.file.hash.sha256 + /// threat.indicator.file.hash.sha256 /// SHA256 hash. /// /// - public static string ThreatFileHashSha256 = nameof(ThreatFileHashSha256); + public static string ThreatIndicatorFileHashSha256 = nameof(ThreatIndicatorFileHashSha256); /// - /// threat.file.hash.sha384 + /// threat.indicator.file.hash.sha384 /// SHA384 hash. /// /// - public static string ThreatFileHashSha384 = nameof(ThreatFileHashSha384); + public static string ThreatIndicatorFileHashSha384 = nameof(ThreatIndicatorFileHashSha384); /// - /// threat.file.hash.sha512 + /// threat.indicator.file.hash.sha512 /// SHA512 hash. /// /// - public static string ThreatFileHashSha512 = nameof(ThreatFileHashSha512); + public static string ThreatIndicatorFileHashSha512 = nameof(ThreatIndicatorFileHashSha512); /// - /// threat.file.hash.ssdeep + /// threat.indicator.file.hash.ssdeep /// SSDEEP hash. /// /// - public static string ThreatFileHashSsdeep = nameof(ThreatFileHashSsdeep); + public static string ThreatIndicatorFileHashSsdeep = nameof(ThreatIndicatorFileHashSsdeep); /// - /// threat.file.hash.tlsh + /// threat.indicator.file.hash.tlsh /// TLSH hash. /// /// - public static string ThreatFileHashTlsh = nameof(ThreatFileHashTlsh); + public static string ThreatIndicatorFileHashTlsh = nameof(ThreatIndicatorFileHashTlsh); /// - /// threat.file.pe.architecture + /// threat.indicator.file.pe.architecture /// CPU architecture target for the file. /// x64 /// - public static string ThreatFilePeArchitecture = nameof(ThreatFilePeArchitecture); + public static string ThreatIndicatorFilePeArchitecture = nameof(ThreatIndicatorFilePeArchitecture); /// - /// threat.file.pe.company + /// threat.indicator.file.pe.company /// Internal company name of the file, provided at compile-time. /// Microsoft Corporation /// - public static string ThreatFilePeCompany = nameof(ThreatFilePeCompany); + public static string ThreatIndicatorFilePeCompany = nameof(ThreatIndicatorFilePeCompany); /// - /// threat.file.pe.description + /// threat.indicator.file.pe.description /// Internal description of the file, provided at compile-time. /// Paint /// - public static string ThreatFilePeDescription = nameof(ThreatFilePeDescription); + public static string ThreatIndicatorFilePeDescription = nameof(ThreatIndicatorFilePeDescription); /// - /// threat.file.pe.file_version + /// threat.indicator.file.pe.file_version /// Internal version of the file, provided at compile-time. /// 6.3.9600.17415 /// - public static string ThreatFilePeFileVersion = nameof(ThreatFilePeFileVersion); + public static string ThreatIndicatorFilePeFileVersion = nameof(ThreatIndicatorFilePeFileVersion); /// - /// threat.file.pe.go_import_hash + /// threat.indicator.file.pe.go_import_hash /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string ThreatFilePeGoImportHash = nameof(ThreatFilePeGoImportHash); + public static string ThreatIndicatorFilePeGoImportHash = nameof(ThreatIndicatorFilePeGoImportHash); /// - /// threat.file.pe.go_imports + /// threat.indicator.file.pe.go_imports /// List of imported Go language element names and types. /// /// - public static string ThreatFilePeGoImports = nameof(ThreatFilePeGoImports); + public static string ThreatIndicatorFilePeGoImports = nameof(ThreatIndicatorFilePeGoImports); /// - /// threat.file.pe.go_imports_names_entropy + /// threat.indicator.file.pe.go_imports_names_entropy /// Shannon entropy calculation from the list of Go imports. /// /// - public static string ThreatFilePeGoImportsNamesEntropy = nameof(ThreatFilePeGoImportsNamesEntropy); + public static string ThreatIndicatorFilePeGoImportsNamesEntropy = nameof(ThreatIndicatorFilePeGoImportsNamesEntropy); /// - /// threat.file.pe.go_imports_names_var_entropy + /// threat.indicator.file.pe.go_imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string ThreatFilePeGoImportsNamesVarEntropy = nameof(ThreatFilePeGoImportsNamesVarEntropy); + public static string ThreatIndicatorFilePeGoImportsNamesVarEntropy = nameof(ThreatIndicatorFilePeGoImportsNamesVarEntropy); /// - /// threat.file.pe.go_stripped + /// threat.indicator.file.pe.go_stripped /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. /// /// - public static string ThreatFilePeGoStripped = nameof(ThreatFilePeGoStripped); + public static string ThreatIndicatorFilePeGoStripped = nameof(ThreatIndicatorFilePeGoStripped); /// - /// threat.file.pe.imphash + /// threat.indicator.file.pe.imphash /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. /// 0c6803c4e922103c4dca5963aad36ddf /// - public static string ThreatFilePeImphash = nameof(ThreatFilePeImphash); + public static string ThreatIndicatorFilePeImphash = nameof(ThreatIndicatorFilePeImphash); /// - /// threat.file.pe.import_hash + /// threat.indicator.file.pe.import_hash /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// This is a synonym for imphash. /// d41d8cd98f00b204e9800998ecf8427e /// - public static string ThreatFilePeImportHash = nameof(ThreatFilePeImportHash); + public static string ThreatIndicatorFilePeImportHash = nameof(ThreatIndicatorFilePeImportHash); /// - /// threat.file.pe.imports_names_entropy + /// threat.indicator.file.pe.imports_names_entropy /// Shannon entropy calculation from the list of imported element names and types. /// /// - public static string ThreatFilePeImportsNamesEntropy = nameof(ThreatFilePeImportsNamesEntropy); + public static string ThreatIndicatorFilePeImportsNamesEntropy = nameof(ThreatIndicatorFilePeImportsNamesEntropy); /// - /// threat.file.pe.imports_names_var_entropy + /// threat.indicator.file.pe.imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of imported element names and types. /// /// - public static string ThreatFilePeImportsNamesVarEntropy = nameof(ThreatFilePeImportsNamesVarEntropy); + public static string ThreatIndicatorFilePeImportsNamesVarEntropy = nameof(ThreatIndicatorFilePeImportsNamesVarEntropy); /// - /// threat.file.pe.original_file_name + /// threat.indicator.file.pe.original_file_name /// Internal name of the file, provided at compile-time. /// MSPAINT.EXE /// - public static string ThreatFilePeOriginalFileName = nameof(ThreatFilePeOriginalFileName); + public static string ThreatIndicatorFilePeOriginalFileName = nameof(ThreatIndicatorFilePeOriginalFileName); /// - /// threat.file.pe.pehash + /// threat.indicator.file.pe.pehash /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. /// 73ff189b63cd6be375a7ff25179a38d347651975 /// - public static string ThreatFilePePehash = nameof(ThreatFilePePehash); + public static string ThreatIndicatorFilePePehash = nameof(ThreatIndicatorFilePePehash); /// - /// threat.file.pe.product + /// threat.indicator.file.pe.product /// Internal product name of the file, provided at compile-time. /// Microsoft® Windows® Operating System /// - public static string ThreatFilePeProduct = nameof(ThreatFilePeProduct); + public static string ThreatIndicatorFilePeProduct = nameof(ThreatIndicatorFilePeProduct); /// - /// threat.file.x509.issuer.distinguished_name + /// threat.indicator.file.x509.issuer.distinguished_name /// Distinguished name (DN) of issuing certificate authority. /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA /// - public static string ThreatFileX509IssuerDistinguishedName = nameof(ThreatFileX509IssuerDistinguishedName); + public static string ThreatIndicatorFileX509IssuerDistinguishedName = nameof(ThreatIndicatorFileX509IssuerDistinguishedName); /// - /// threat.file.x509.not_after + /// threat.indicator.file.x509.not_after /// Time at which the certificate is no longer considered valid. /// 7/16/2020 3:15:39 AM /// - public static string ThreatFileX509NotAfter = nameof(ThreatFileX509NotAfter); + public static string ThreatIndicatorFileX509NotAfter = nameof(ThreatIndicatorFileX509NotAfter); /// - /// threat.file.x509.not_before + /// threat.indicator.file.x509.not_before /// Time at which the certificate is first considered valid. /// 8/16/2019 1:40:25 AM /// - public static string ThreatFileX509NotBefore = nameof(ThreatFileX509NotBefore); + public static string ThreatIndicatorFileX509NotBefore = nameof(ThreatIndicatorFileX509NotBefore); /// - /// threat.file.x509.public_key_algorithm + /// threat.indicator.file.x509.public_key_algorithm /// Algorithm used to generate the public key. /// RSA /// - public static string ThreatFileX509PublicKeyAlgorithm = nameof(ThreatFileX509PublicKeyAlgorithm); + public static string ThreatIndicatorFileX509PublicKeyAlgorithm = nameof(ThreatIndicatorFileX509PublicKeyAlgorithm); /// - /// threat.file.x509.public_key_curve + /// threat.indicator.file.x509.public_key_curve /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. /// nistp521 /// - public static string ThreatFileX509PublicKeyCurve = nameof(ThreatFileX509PublicKeyCurve); + public static string ThreatIndicatorFileX509PublicKeyCurve = nameof(ThreatIndicatorFileX509PublicKeyCurve); /// - /// threat.file.x509.public_key_exponent + /// threat.indicator.file.x509.public_key_exponent /// Exponent used to derive the public key. This is algorithm specific. ///
Stored but not available for search in Elasticsearch by default /// 65537 /// - public static string ThreatFileX509PublicKeyExponent = nameof(ThreatFileX509PublicKeyExponent); + public static string ThreatIndicatorFileX509PublicKeyExponent = nameof(ThreatIndicatorFileX509PublicKeyExponent); /// - /// threat.file.x509.public_key_size + /// threat.indicator.file.x509.public_key_size /// The size of the public key space in bits. /// 2048 /// - public static string ThreatFileX509PublicKeySize = nameof(ThreatFileX509PublicKeySize); + public static string ThreatIndicatorFileX509PublicKeySize = nameof(ThreatIndicatorFileX509PublicKeySize); /// - /// threat.file.x509.serial_number + /// threat.indicator.file.x509.serial_number /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. /// 55FBB9C7DEBF09809D12CCAA /// - public static string ThreatFileX509SerialNumber = nameof(ThreatFileX509SerialNumber); + public static string ThreatIndicatorFileX509SerialNumber = nameof(ThreatIndicatorFileX509SerialNumber); /// - /// threat.file.x509.signature_algorithm + /// threat.indicator.file.x509.signature_algorithm /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. /// SHA256-RSA /// - public static string ThreatFileX509SignatureAlgorithm = nameof(ThreatFileX509SignatureAlgorithm); + public static string ThreatIndicatorFileX509SignatureAlgorithm = nameof(ThreatIndicatorFileX509SignatureAlgorithm); /// - /// threat.file.x509.subject.distinguished_name + /// threat.indicator.file.x509.subject.distinguished_name /// Distinguished name (DN) of the certificate subject entity. /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net /// - public static string ThreatFileX509SubjectDistinguishedName = nameof(ThreatFileX509SubjectDistinguishedName); + public static string ThreatIndicatorFileX509SubjectDistinguishedName = nameof(ThreatIndicatorFileX509SubjectDistinguishedName); /// - /// threat.file.x509.version_number + /// threat.indicator.file.x509.version_number /// Version of x509 format. /// 3 /// - public static string ThreatFileX509VersionNumber = nameof(ThreatFileX509VersionNumber); + public static string ThreatIndicatorFileX509VersionNumber = nameof(ThreatIndicatorFileX509VersionNumber); /// - /// threat.file.code_signature.digest_algorithm + /// threat.indicator.file.code_signature.digest_algorithm /// The hashing algorithm used to sign the process. /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. /// sha256 /// - public static string ThreatFileCodeSignatureDigestAlgorithm = nameof(ThreatFileCodeSignatureDigestAlgorithm); + public static string ThreatIndicatorFileCodeSignatureDigestAlgorithm = nameof(ThreatIndicatorFileCodeSignatureDigestAlgorithm); /// - /// threat.file.code_signature.exists + /// threat.indicator.file.code_signature.exists /// Boolean to capture if a signature is present. /// true /// - public static string ThreatFileCodeSignatureExists = nameof(ThreatFileCodeSignatureExists); + public static string ThreatIndicatorFileCodeSignatureExists = nameof(ThreatIndicatorFileCodeSignatureExists); /// - /// threat.file.code_signature.signing_id + /// threat.indicator.file.code_signature.signing_id /// The identifier used to sign the process. /// This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. /// com.apple.xpc.proxy /// - public static string ThreatFileCodeSignatureSigningId = nameof(ThreatFileCodeSignatureSigningId); + public static string ThreatIndicatorFileCodeSignatureSigningId = nameof(ThreatIndicatorFileCodeSignatureSigningId); /// - /// threat.file.code_signature.status + /// threat.indicator.file.code_signature.status /// Additional information about the certificate status. /// This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. /// ERROR_UNTRUSTED_ROOT /// - public static string ThreatFileCodeSignatureStatus = nameof(ThreatFileCodeSignatureStatus); + public static string ThreatIndicatorFileCodeSignatureStatus = nameof(ThreatIndicatorFileCodeSignatureStatus); /// - /// threat.file.code_signature.subject_name + /// threat.indicator.file.code_signature.subject_name /// Subject name of the code signer /// Microsoft Corporation /// - public static string ThreatFileCodeSignatureSubjectName = nameof(ThreatFileCodeSignatureSubjectName); + public static string ThreatIndicatorFileCodeSignatureSubjectName = nameof(ThreatIndicatorFileCodeSignatureSubjectName); /// - /// threat.file.code_signature.team_id + /// threat.indicator.file.code_signature.team_id /// The team identifier used to sign the process. /// This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. /// EQHXZ8M8AV /// - public static string ThreatFileCodeSignatureTeamId = nameof(ThreatFileCodeSignatureTeamId); + public static string ThreatIndicatorFileCodeSignatureTeamId = nameof(ThreatIndicatorFileCodeSignatureTeamId); /// - /// threat.file.code_signature.timestamp + /// threat.indicator.file.code_signature.timestamp /// Date and time when the code signature was generated and signed. /// 1/1/2021 12:10:30 PM /// - public static string ThreatFileCodeSignatureTimestamp = nameof(ThreatFileCodeSignatureTimestamp); + public static string ThreatIndicatorFileCodeSignatureTimestamp = nameof(ThreatIndicatorFileCodeSignatureTimestamp); /// - /// threat.file.code_signature.trusted + /// threat.indicator.file.code_signature.trusted /// Stores the trust status of the certificate chain. /// Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. /// true /// - public static string ThreatFileCodeSignatureTrusted = nameof(ThreatFileCodeSignatureTrusted); + public static string ThreatIndicatorFileCodeSignatureTrusted = nameof(ThreatIndicatorFileCodeSignatureTrusted); /// - /// threat.file.code_signature.valid + /// threat.indicator.file.code_signature.valid /// Boolean to capture if the digital signature is verified against the binary content. /// Leave unpopulated if a certificate was unchecked. /// true /// - public static string ThreatFileCodeSignatureValid = nameof(ThreatFileCodeSignatureValid); + public static string ThreatIndicatorFileCodeSignatureValid = nameof(ThreatIndicatorFileCodeSignatureValid); /// - /// threat.file.elf.architecture + /// threat.indicator.file.elf.architecture /// Machine architecture of the ELF file. /// x86-64 /// - public static string ThreatFileElfArchitecture = nameof(ThreatFileElfArchitecture); + public static string ThreatIndicatorFileElfArchitecture = nameof(ThreatIndicatorFileElfArchitecture); /// - /// threat.file.elf.byte_order + /// threat.indicator.file.elf.byte_order /// Byte sequence of ELF file. /// Little Endian /// - public static string ThreatFileElfByteOrder = nameof(ThreatFileElfByteOrder); + public static string ThreatIndicatorFileElfByteOrder = nameof(ThreatIndicatorFileElfByteOrder); /// - /// threat.file.elf.cpu_type + /// threat.indicator.file.elf.cpu_type /// CPU type of the ELF file. /// Intel /// - public static string ThreatFileElfCpuType = nameof(ThreatFileElfCpuType); + public static string ThreatIndicatorFileElfCpuType = nameof(ThreatIndicatorFileElfCpuType); /// - /// threat.file.elf.creation_date + /// threat.indicator.file.elf.creation_date /// Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. /// /// - public static string ThreatFileElfCreationDate = nameof(ThreatFileElfCreationDate); + public static string ThreatIndicatorFileElfCreationDate = nameof(ThreatIndicatorFileElfCreationDate); /// - /// threat.file.elf.go_import_hash + /// threat.indicator.file.elf.go_import_hash /// A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string ThreatFileElfGoImportHash = nameof(ThreatFileElfGoImportHash); + public static string ThreatIndicatorFileElfGoImportHash = nameof(ThreatIndicatorFileElfGoImportHash); /// - /// threat.file.elf.go_imports + /// threat.indicator.file.elf.go_imports /// List of imported Go language element names and types. /// /// - public static string ThreatFileElfGoImports = nameof(ThreatFileElfGoImports); + public static string ThreatIndicatorFileElfGoImports = nameof(ThreatIndicatorFileElfGoImports); /// - /// threat.file.elf.go_imports_names_entropy + /// threat.indicator.file.elf.go_imports_names_entropy /// Shannon entropy calculation from the list of Go imports. /// /// - public static string ThreatFileElfGoImportsNamesEntropy = nameof(ThreatFileElfGoImportsNamesEntropy); + public static string ThreatIndicatorFileElfGoImportsNamesEntropy = nameof(ThreatIndicatorFileElfGoImportsNamesEntropy); /// - /// threat.file.elf.go_imports_names_var_entropy + /// threat.indicator.file.elf.go_imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string ThreatFileElfGoImportsNamesVarEntropy = nameof(ThreatFileElfGoImportsNamesVarEntropy); + public static string ThreatIndicatorFileElfGoImportsNamesVarEntropy = nameof(ThreatIndicatorFileElfGoImportsNamesVarEntropy); /// - /// threat.file.elf.go_stripped + /// threat.indicator.file.elf.go_stripped /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. /// /// - public static string ThreatFileElfGoStripped = nameof(ThreatFileElfGoStripped); + public static string ThreatIndicatorFileElfGoStripped = nameof(ThreatIndicatorFileElfGoStripped); /// - /// threat.file.elf.header.abi_version + /// threat.indicator.file.elf.header.abi_version /// Version of the ELF Application Binary Interface (ABI). /// /// - public static string ThreatFileElfHeaderAbiVersion = nameof(ThreatFileElfHeaderAbiVersion); + public static string ThreatIndicatorFileElfHeaderAbiVersion = nameof(ThreatIndicatorFileElfHeaderAbiVersion); /// - /// threat.file.elf.header.class + /// threat.indicator.file.elf.header.class /// Header class of the ELF file. /// /// - public static string ThreatFileElfHeaderClass = nameof(ThreatFileElfHeaderClass); + public static string ThreatIndicatorFileElfHeaderClass = nameof(ThreatIndicatorFileElfHeaderClass); /// - /// threat.file.elf.header.data + /// threat.indicator.file.elf.header.data /// Data table of the ELF header. /// /// - public static string ThreatFileElfHeaderData = nameof(ThreatFileElfHeaderData); + public static string ThreatIndicatorFileElfHeaderData = nameof(ThreatIndicatorFileElfHeaderData); /// - /// threat.file.elf.header.entrypoint + /// threat.indicator.file.elf.header.entrypoint /// Header entrypoint of the ELF file. /// /// - public static string ThreatFileElfHeaderEntrypoint = nameof(ThreatFileElfHeaderEntrypoint); + public static string ThreatIndicatorFileElfHeaderEntrypoint = nameof(ThreatIndicatorFileElfHeaderEntrypoint); /// - /// threat.file.elf.header.object_version + /// threat.indicator.file.elf.header.object_version /// "0x1" for original ELF files. /// /// - public static string ThreatFileElfHeaderObjectVersion = nameof(ThreatFileElfHeaderObjectVersion); + public static string ThreatIndicatorFileElfHeaderObjectVersion = nameof(ThreatIndicatorFileElfHeaderObjectVersion); /// - /// threat.file.elf.header.os_abi + /// threat.indicator.file.elf.header.os_abi /// Application Binary Interface (ABI) of the Linux OS. /// /// - public static string ThreatFileElfHeaderOsAbi = nameof(ThreatFileElfHeaderOsAbi); + public static string ThreatIndicatorFileElfHeaderOsAbi = nameof(ThreatIndicatorFileElfHeaderOsAbi); /// - /// threat.file.elf.header.type + /// threat.indicator.file.elf.header.type /// Header type of the ELF file. /// /// - public static string ThreatFileElfHeaderType = nameof(ThreatFileElfHeaderType); + public static string ThreatIndicatorFileElfHeaderType = nameof(ThreatIndicatorFileElfHeaderType); /// - /// threat.file.elf.header.version + /// threat.indicator.file.elf.header.version /// Version of the ELF header. /// /// - public static string ThreatFileElfHeaderVersion = nameof(ThreatFileElfHeaderVersion); + public static string ThreatIndicatorFileElfHeaderVersion = nameof(ThreatIndicatorFileElfHeaderVersion); /// - /// threat.file.elf.import_hash + /// threat.indicator.file.elf.import_hash /// A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// This is an ELF implementation of the Windows PE imphash. /// d41d8cd98f00b204e9800998ecf8427e /// - public static string ThreatFileElfImportHash = nameof(ThreatFileElfImportHash); + public static string ThreatIndicatorFileElfImportHash = nameof(ThreatIndicatorFileElfImportHash); /// - /// threat.file.elf.imports_names_entropy + /// threat.indicator.file.elf.imports_names_entropy /// Shannon entropy calculation from the list of imported element names and types. /// /// - public static string ThreatFileElfImportsNamesEntropy = nameof(ThreatFileElfImportsNamesEntropy); + public static string ThreatIndicatorFileElfImportsNamesEntropy = nameof(ThreatIndicatorFileElfImportsNamesEntropy); /// - /// threat.file.elf.imports_names_var_entropy + /// threat.indicator.file.elf.imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of imported element names and types. /// /// - public static string ThreatFileElfImportsNamesVarEntropy = nameof(ThreatFileElfImportsNamesVarEntropy); + public static string ThreatIndicatorFileElfImportsNamesVarEntropy = nameof(ThreatIndicatorFileElfImportsNamesVarEntropy); /// - /// threat.file.elf.telfhash + /// threat.indicator.file.elf.telfhash /// telfhash symbol hash for ELF file. /// /// - public static string ThreatFileElfTelfhash = nameof(ThreatFileElfTelfhash); + public static string ThreatIndicatorFileElfTelfhash = nameof(ThreatIndicatorFileElfTelfhash); /// - /// threat.file.macho.go_import_hash + /// threat.indicator.file.macho.go_import_hash /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string ThreatFileMachoGoImportHash = nameof(ThreatFileMachoGoImportHash); + public static string ThreatIndicatorFileMachoGoImportHash = nameof(ThreatIndicatorFileMachoGoImportHash); /// - /// threat.file.macho.go_imports + /// threat.indicator.file.macho.go_imports /// List of imported Go language element names and types. /// /// - public static string ThreatFileMachoGoImports = nameof(ThreatFileMachoGoImports); + public static string ThreatIndicatorFileMachoGoImports = nameof(ThreatIndicatorFileMachoGoImports); /// - /// threat.file.macho.go_imports_names_entropy + /// threat.indicator.file.macho.go_imports_names_entropy /// Shannon entropy calculation from the list of Go imports. /// /// - public static string ThreatFileMachoGoImportsNamesEntropy = nameof(ThreatFileMachoGoImportsNamesEntropy); + public static string ThreatIndicatorFileMachoGoImportsNamesEntropy = nameof(ThreatIndicatorFileMachoGoImportsNamesEntropy); /// - /// threat.file.macho.go_imports_names_var_entropy + /// threat.indicator.file.macho.go_imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string ThreatFileMachoGoImportsNamesVarEntropy = nameof(ThreatFileMachoGoImportsNamesVarEntropy); + public static string ThreatIndicatorFileMachoGoImportsNamesVarEntropy = nameof(ThreatIndicatorFileMachoGoImportsNamesVarEntropy); /// - /// threat.file.macho.go_stripped + /// threat.indicator.file.macho.go_stripped /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. /// /// - public static string ThreatFileMachoGoStripped = nameof(ThreatFileMachoGoStripped); + public static string ThreatIndicatorFileMachoGoStripped = nameof(ThreatIndicatorFileMachoGoStripped); /// - /// threat.file.macho.import_hash + /// threat.indicator.file.macho.import_hash /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// This is a synonym for symhash. /// d41d8cd98f00b204e9800998ecf8427e /// - public static string ThreatFileMachoImportHash = nameof(ThreatFileMachoImportHash); + public static string ThreatIndicatorFileMachoImportHash = nameof(ThreatIndicatorFileMachoImportHash); /// - /// threat.file.macho.imports_names_entropy + /// threat.indicator.file.macho.imports_names_entropy /// Shannon entropy calculation from the list of imported element names and types. /// /// - public static string ThreatFileMachoImportsNamesEntropy = nameof(ThreatFileMachoImportsNamesEntropy); + public static string ThreatIndicatorFileMachoImportsNamesEntropy = nameof(ThreatIndicatorFileMachoImportsNamesEntropy); /// - /// threat.file.macho.imports_names_var_entropy + /// threat.indicator.file.macho.imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of imported element names and types. /// /// - public static string ThreatFileMachoImportsNamesVarEntropy = nameof(ThreatFileMachoImportsNamesVarEntropy); + public static string ThreatIndicatorFileMachoImportsNamesVarEntropy = nameof(ThreatIndicatorFileMachoImportsNamesVarEntropy); /// - /// threat.file.macho.symhash + /// threat.indicator.file.macho.symhash /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// This is a Mach-O implementation of the Windows PE imphash /// d3ccf195b62a9279c3c19af1080497ec /// - public static string ThreatFileMachoSymhash = nameof(ThreatFileMachoSymhash); + public static string ThreatIndicatorFileMachoSymhash = nameof(ThreatIndicatorFileMachoSymhash); /// - /// threat.geo.city_name + /// threat.indicator.geo.city_name /// City name. /// Montreal /// - public static string ThreatGeoCityName = nameof(ThreatGeoCityName); + public static string ThreatIndicatorGeoCityName = nameof(ThreatIndicatorGeoCityName); /// - /// threat.geo.continent_code + /// threat.indicator.geo.continent_code /// Two-letter code representing continent's name. /// NA /// - public static string ThreatGeoContinentCode = nameof(ThreatGeoContinentCode); + public static string ThreatIndicatorGeoContinentCode = nameof(ThreatIndicatorGeoContinentCode); /// - /// threat.geo.continent_name + /// threat.indicator.geo.continent_name /// Name of the continent. /// North America /// - public static string ThreatGeoContinentName = nameof(ThreatGeoContinentName); + public static string ThreatIndicatorGeoContinentName = nameof(ThreatIndicatorGeoContinentName); /// - /// threat.geo.country_iso_code + /// threat.indicator.geo.country_iso_code /// Country ISO code. /// CA /// - public static string ThreatGeoCountryIsoCode = nameof(ThreatGeoCountryIsoCode); + public static string ThreatIndicatorGeoCountryIsoCode = nameof(ThreatIndicatorGeoCountryIsoCode); /// - /// threat.geo.country_name + /// threat.indicator.geo.country_name /// Country name. /// Canada /// - public static string ThreatGeoCountryName = nameof(ThreatGeoCountryName); + public static string ThreatIndicatorGeoCountryName = nameof(ThreatIndicatorGeoCountryName); /// - /// threat.geo.name + /// threat.indicator.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. /// Not typically used in automated geolocation. /// boston-dc /// - public static string ThreatGeoName = nameof(ThreatGeoName); + public static string ThreatIndicatorGeoName = nameof(ThreatIndicatorGeoName); /// - /// threat.geo.postal_code + /// threat.indicator.geo.postal_code /// Postal code associated with the location. /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. /// 94040 /// - public static string ThreatGeoPostalCode = nameof(ThreatGeoPostalCode); + public static string ThreatIndicatorGeoPostalCode = nameof(ThreatIndicatorGeoPostalCode); /// - /// threat.geo.region_iso_code + /// threat.indicator.geo.region_iso_code /// Region ISO code. /// CA-QC /// - public static string ThreatGeoRegionIsoCode = nameof(ThreatGeoRegionIsoCode); + public static string ThreatIndicatorGeoRegionIsoCode = nameof(ThreatIndicatorGeoRegionIsoCode); /// - /// threat.geo.region_name + /// threat.indicator.geo.region_name /// Region name. /// Quebec /// - public static string ThreatGeoRegionName = nameof(ThreatGeoRegionName); + public static string ThreatIndicatorGeoRegionName = nameof(ThreatIndicatorGeoRegionName); /// - /// threat.geo.timezone + /// threat.indicator.geo.timezone /// The time zone of the location, such as IANA time zone name. /// America/Argentina/Buenos_Aires /// - public static string ThreatGeoTimezone = nameof(ThreatGeoTimezone); + public static string ThreatIndicatorGeoTimezone = nameof(ThreatIndicatorGeoTimezone); /// - /// threat.registry.data.bytes + /// threat.indicator.registry.data.bytes /// Original bytes written with base64 encoding. /// For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. /// ZQBuAC0AVQBTAAAAZQBuAAAAAAA= /// - public static string ThreatRegistryDataBytes = nameof(ThreatRegistryDataBytes); + public static string ThreatIndicatorRegistryDataBytes = nameof(ThreatIndicatorRegistryDataBytes); /// - /// threat.registry.data.type + /// threat.indicator.registry.data.type /// Standard registry type for encoding contents /// REG_SZ /// - public static string ThreatRegistryDataType = nameof(ThreatRegistryDataType); + public static string ThreatIndicatorRegistryDataType = nameof(ThreatIndicatorRegistryDataType); /// - /// threat.registry.hive + /// threat.indicator.registry.hive /// Abbreviated name for the hive. /// HKLM /// - public static string ThreatRegistryHive = nameof(ThreatRegistryHive); + public static string ThreatIndicatorRegistryHive = nameof(ThreatIndicatorRegistryHive); /// - /// threat.registry.key + /// threat.indicator.registry.key /// Hive-relative path of keys. /// SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe /// - public static string ThreatRegistryKey = nameof(ThreatRegistryKey); + public static string ThreatIndicatorRegistryKey = nameof(ThreatIndicatorRegistryKey); /// - /// threat.registry.path + /// threat.indicator.registry.path /// Full path, including hive, key and value /// HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger /// - public static string ThreatRegistryPath = nameof(ThreatRegistryPath); + public static string ThreatIndicatorRegistryPath = nameof(ThreatIndicatorRegistryPath); /// - /// threat.registry.value + /// threat.indicator.registry.value /// Name of the value written. /// Debugger /// - public static string ThreatRegistryValue = nameof(ThreatRegistryValue); + public static string ThreatIndicatorRegistryValue = nameof(ThreatIndicatorRegistryValue); /// - /// threat.url.domain + /// threat.indicator.url.domain /// Domain of the url, such as "www.elastic.co". /// In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. /// If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. /// www.elastic.co /// - public static string ThreatUrlDomain = nameof(ThreatUrlDomain); + public static string ThreatIndicatorUrlDomain = nameof(ThreatIndicatorUrlDomain); /// - /// threat.url.extension + /// threat.indicator.url.extension /// The field contains the file extension from the original request url, excluding the leading dot. /// The file extension is only set if it exists, as not every url has a file extension. /// The leading period must not be included. For example, the value must be "png", not ".png". /// Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). /// png /// - public static string ThreatUrlExtension = nameof(ThreatUrlExtension); + public static string ThreatIndicatorUrlExtension = nameof(ThreatIndicatorUrlExtension); /// - /// threat.url.fragment + /// threat.indicator.url.fragment /// Portion of the url after the `#`, such as "top". /// The `#` is not part of the fragment. /// /// - public static string ThreatUrlFragment = nameof(ThreatUrlFragment); + public static string ThreatIndicatorUrlFragment = nameof(ThreatIndicatorUrlFragment); /// - /// threat.url.full + /// threat.indicator.url.full /// If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. /// https://www.elastic.co:443/search?q=elasticsearch#top /// - public static string ThreatUrlFull = nameof(ThreatUrlFull); + public static string ThreatIndicatorUrlFull = nameof(ThreatIndicatorUrlFull); /// - /// threat.url.original + /// threat.indicator.url.original /// Unmodified original url as seen in the event source. /// Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. /// This field is meant to represent the URL as it was observed, complete or not. /// https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch /// - public static string ThreatUrlOriginal = nameof(ThreatUrlOriginal); + public static string ThreatIndicatorUrlOriginal = nameof(ThreatIndicatorUrlOriginal); /// - /// threat.url.password + /// threat.indicator.url.password /// Password of the request. /// /// - public static string ThreatUrlPassword = nameof(ThreatUrlPassword); + public static string ThreatIndicatorUrlPassword = nameof(ThreatIndicatorUrlPassword); /// - /// threat.url.path + /// threat.indicator.url.path /// Path of the request, such as "/search". /// /// - public static string ThreatUrlPath = nameof(ThreatUrlPath); + public static string ThreatIndicatorUrlPath = nameof(ThreatIndicatorUrlPath); /// - /// threat.url.port + /// threat.indicator.url.port /// Port of the request, such as 443. /// 443 /// - public static string ThreatUrlPort = nameof(ThreatUrlPort); + public static string ThreatIndicatorUrlPort = nameof(ThreatIndicatorUrlPort); /// - /// threat.url.query + /// threat.indicator.url.query /// The query field describes the query string of the request, such as "q=elasticsearch". /// The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. /// /// - public static string ThreatUrlQuery = nameof(ThreatUrlQuery); + public static string ThreatIndicatorUrlQuery = nameof(ThreatIndicatorUrlQuery); /// - /// threat.url.registered_domain + /// threat.indicator.url.registered_domain /// The highest registered url domain, stripped of the subdomain. /// For example, the registered domain for "foo.example.com" is "example.com". /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". /// example.com /// - public static string ThreatUrlRegisteredDomain = nameof(ThreatUrlRegisteredDomain); + public static string ThreatIndicatorUrlRegisteredDomain = nameof(ThreatIndicatorUrlRegisteredDomain); /// - /// threat.url.scheme + /// threat.indicator.url.scheme /// Scheme of the request, such as "https". /// Note: The `:` is not part of the scheme. /// https /// - public static string ThreatUrlScheme = nameof(ThreatUrlScheme); + public static string ThreatIndicatorUrlScheme = nameof(ThreatIndicatorUrlScheme); /// - /// threat.url.subdomain + /// threat.indicator.url.subdomain /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. /// east /// - public static string ThreatUrlSubdomain = nameof(ThreatUrlSubdomain); + public static string ThreatIndicatorUrlSubdomain = nameof(ThreatIndicatorUrlSubdomain); /// - /// threat.url.top_level_domain + /// threat.indicator.url.top_level_domain /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". /// co.uk /// - public static string ThreatUrlTopLevelDomain = nameof(ThreatUrlTopLevelDomain); + public static string ThreatIndicatorUrlTopLevelDomain = nameof(ThreatIndicatorUrlTopLevelDomain); /// - /// threat.url.username + /// threat.indicator.url.username /// Username of the request. /// /// - public static string ThreatUrlUsername = nameof(ThreatUrlUsername); + public static string ThreatIndicatorUrlUsername = nameof(ThreatIndicatorUrlUsername); /// /// tls.cipher /// String indicating the cipher used during the current connection. @@ -7237,72 +7237,72 @@ public static class LogTemplateProperties /// public static string TlsVersionProtocol = nameof(TlsVersionProtocol); /// - /// tls.x509.issuer.distinguished_name + /// tls.client.x509.issuer.distinguished_name /// Distinguished name (DN) of issuing certificate authority. /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA /// - public static string TlsX509IssuerDistinguishedName = nameof(TlsX509IssuerDistinguishedName); + public static string TlsClientX509IssuerDistinguishedName = nameof(TlsClientX509IssuerDistinguishedName); /// - /// tls.x509.not_after + /// tls.client.x509.not_after /// Time at which the certificate is no longer considered valid. /// 7/16/2020 3:15:39 AM /// - public static string TlsX509NotAfter = nameof(TlsX509NotAfter); + public static string TlsClientX509NotAfter = nameof(TlsClientX509NotAfter); /// - /// tls.x509.not_before + /// tls.client.x509.not_before /// Time at which the certificate is first considered valid. /// 8/16/2019 1:40:25 AM /// - public static string TlsX509NotBefore = nameof(TlsX509NotBefore); + public static string TlsClientX509NotBefore = nameof(TlsClientX509NotBefore); /// - /// tls.x509.public_key_algorithm + /// tls.client.x509.public_key_algorithm /// Algorithm used to generate the public key. /// RSA /// - public static string TlsX509PublicKeyAlgorithm = nameof(TlsX509PublicKeyAlgorithm); + public static string TlsClientX509PublicKeyAlgorithm = nameof(TlsClientX509PublicKeyAlgorithm); /// - /// tls.x509.public_key_curve + /// tls.client.x509.public_key_curve /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. /// nistp521 /// - public static string TlsX509PublicKeyCurve = nameof(TlsX509PublicKeyCurve); + public static string TlsClientX509PublicKeyCurve = nameof(TlsClientX509PublicKeyCurve); /// - /// tls.x509.public_key_exponent + /// tls.client.x509.public_key_exponent /// Exponent used to derive the public key. This is algorithm specific. ///
Stored but not available for search in Elasticsearch by default /// 65537 /// - public static string TlsX509PublicKeyExponent = nameof(TlsX509PublicKeyExponent); + public static string TlsClientX509PublicKeyExponent = nameof(TlsClientX509PublicKeyExponent); /// - /// tls.x509.public_key_size + /// tls.client.x509.public_key_size /// The size of the public key space in bits. /// 2048 /// - public static string TlsX509PublicKeySize = nameof(TlsX509PublicKeySize); + public static string TlsClientX509PublicKeySize = nameof(TlsClientX509PublicKeySize); /// - /// tls.x509.serial_number + /// tls.client.x509.serial_number /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. /// 55FBB9C7DEBF09809D12CCAA /// - public static string TlsX509SerialNumber = nameof(TlsX509SerialNumber); + public static string TlsClientX509SerialNumber = nameof(TlsClientX509SerialNumber); /// - /// tls.x509.signature_algorithm + /// tls.client.x509.signature_algorithm /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. /// SHA256-RSA /// - public static string TlsX509SignatureAlgorithm = nameof(TlsX509SignatureAlgorithm); + public static string TlsClientX509SignatureAlgorithm = nameof(TlsClientX509SignatureAlgorithm); /// - /// tls.x509.subject.distinguished_name + /// tls.client.x509.subject.distinguished_name /// Distinguished name (DN) of the certificate subject entity. /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net /// - public static string TlsX509SubjectDistinguishedName = nameof(TlsX509SubjectDistinguishedName); + public static string TlsClientX509SubjectDistinguishedName = nameof(TlsClientX509SubjectDistinguishedName); /// - /// tls.x509.version_number + /// tls.client.x509.version_number /// Version of x509 format. /// 3 /// - public static string TlsX509VersionNumber = nameof(TlsX509VersionNumber); + public static string TlsClientX509VersionNumber = nameof(TlsClientX509VersionNumber); /// /// url.domain /// Domain of the url, such as "www.elastic.co". @@ -7495,43 +7495,43 @@ public static class LogTemplateProperties /// public static string UserRiskStaticScoreNorm = nameof(UserRiskStaticScoreNorm); /// - /// user.user.domain + /// target.user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string UserUserDomain = nameof(UserUserDomain); + public static string TargetUserDomain = nameof(TargetUserDomain); /// - /// user.user.email + /// target.user.email /// User email address. /// /// - public static string UserUserEmail = nameof(UserUserEmail); + public static string TargetUserEmail = nameof(TargetUserEmail); /// - /// user.user.full_name + /// target.user.full_name /// User's full name, if available. /// Albert Einstein /// - public static string UserUserFullName = nameof(UserUserFullName); + public static string TargetUserFullName = nameof(TargetUserFullName); /// - /// user.user.hash + /// target.user.hash /// Unique user hash to correlate information for a user in anonymized form. /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string UserUserHash = nameof(UserUserHash); + public static string TargetUserHash = nameof(TargetUserHash); /// - /// user.user.id + /// target.user.id /// Unique identifier of the user. /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string UserUserId = nameof(UserUserId); + public static string TargetUserId = nameof(TargetUserId); /// - /// user.user.name + /// target.user.name /// Short name or login of the user. /// a.einstein /// - public static string UserUserName = nameof(UserUserName); + public static string TargetUserName = nameof(TargetUserName); /// /// user_agent.device.name /// Name of the device. @@ -7819,12 +7819,12 @@ public static class LogTemplateProperties "client.user.risk.static_level", ClientUserRiskStaticLevel, "client.user.risk.static_score", ClientUserRiskStaticScore, "client.user.risk.static_score_norm", ClientUserRiskStaticScoreNorm, - "client.user.user.domain", ClientUserUserDomain, - "client.user.user.email", ClientUserUserEmail, - "client.user.user.full_name", ClientUserUserFullName, - "client.user.user.hash", ClientUserUserHash, - "client.user.user.id", ClientUserUserId, - "client.user.user.name", ClientUserUserName, + "client.user.target.user.domain", ClientUserTargetUserDomain, + "client.user.target.user.email", ClientUserTargetUserEmail, + "client.user.target.user.full_name", ClientUserTargetUserFullName, + "client.user.target.user.hash", ClientUserTargetUserHash, + "client.user.target.user.id", ClientUserTargetUserId, + "client.user.target.user.name", ClientUserTargetUserName, "cloud.account.id", CloudAccountId, "cloud.account.name", CloudAccountName, "cloud.availability_zone", CloudAvailabilityZone, @@ -7836,17 +7836,17 @@ public static class LogTemplateProperties "cloud.provider", CloudProvider, "cloud.region", CloudRegion, "cloud.service.name", CloudServiceName, - "cloud.cloud.account.id", CloudCloudAccountId, - "cloud.cloud.account.name", CloudCloudAccountName, - "cloud.cloud.availability_zone", CloudCloudAvailabilityZone, - "cloud.cloud.instance.id", CloudCloudInstanceId, - "cloud.cloud.instance.name", CloudCloudInstanceName, - "cloud.cloud.machine.type", CloudCloudMachineType, - "cloud.cloud.project.id", CloudCloudProjectId, - "cloud.cloud.project.name", CloudCloudProjectName, - "cloud.cloud.provider", CloudCloudProvider, - "cloud.cloud.region", CloudCloudRegion, - "cloud.cloud.service.name", CloudCloudServiceName, + "origin.cloud.account.id", OriginCloudAccountId, + "origin.cloud.account.name", OriginCloudAccountName, + "origin.cloud.availability_zone", OriginCloudAvailabilityZone, + "origin.cloud.instance.id", OriginCloudInstanceId, + "origin.cloud.instance.name", OriginCloudInstanceName, + "origin.cloud.machine.type", OriginCloudMachineType, + "origin.cloud.project.id", OriginCloudProjectId, + "origin.cloud.project.name", OriginCloudProjectName, + "origin.cloud.provider", OriginCloudProvider, + "origin.cloud.region", OriginCloudRegion, + "origin.cloud.service.name", OriginCloudServiceName, "code_signature.digest_algorithm", CodeSignatureDigestAlgorithm, "code_signature.exists", CodeSignatureExists, "code_signature.signing_id", CodeSignatureSigningId, @@ -7909,12 +7909,12 @@ public static class LogTemplateProperties "destination.user.risk.static_level", DestinationUserRiskStaticLevel, "destination.user.risk.static_score", DestinationUserRiskStaticScore, "destination.user.risk.static_score_norm", DestinationUserRiskStaticScoreNorm, - "destination.user.user.domain", DestinationUserUserDomain, - "destination.user.user.email", DestinationUserUserEmail, - "destination.user.user.full_name", DestinationUserUserFullName, - "destination.user.user.hash", DestinationUserUserHash, - "destination.user.user.id", DestinationUserUserId, - "destination.user.user.name", DestinationUserUserName, + "destination.user.target.user.domain", DestinationUserTargetUserDomain, + "destination.user.target.user.email", DestinationUserTargetUserEmail, + "destination.user.target.user.full_name", DestinationUserTargetUserFullName, + "destination.user.target.user.hash", DestinationUserTargetUserHash, + "destination.user.target.user.id", DestinationUserTargetUserId, + "destination.user.target.user.name", DestinationUserTargetUserName, "device.id", DeviceId, "device.manufacturer", DeviceManufacturer, "device.model.identifier", DeviceModelIdentifier, @@ -8383,51 +8383,51 @@ public static class LogTemplateProperties "process.macho.imports_names_entropy", ProcessMachoImportsNamesEntropy, "process.macho.imports_names_var_entropy", ProcessMachoImportsNamesVarEntropy, "process.macho.symhash", ProcessMachoSymhash, - "process.source.address", ProcessSourceAddress, - "process.source.bytes", ProcessSourceBytes, - "process.source.domain", ProcessSourceDomain, - "process.source.ip", ProcessSourceIp, - "process.source.mac", ProcessSourceMac, - "process.source.nat.ip", ProcessSourceNatIp, - "process.source.nat.port", ProcessSourceNatPort, - "process.source.packets", ProcessSourcePackets, - "process.source.port", ProcessSourcePort, - "process.source.registered_domain", ProcessSourceRegisteredDomain, - "process.source.subdomain", ProcessSourceSubdomain, - "process.source.top_level_domain", ProcessSourceTopLevelDomain, - "process.source.as.number", ProcessSourceAsNumber, - "process.source.as.organization.name", ProcessSourceAsOrganizationName, - "process.source.geo.city_name", ProcessSourceGeoCityName, - "process.source.geo.continent_code", ProcessSourceGeoContinentCode, - "process.source.geo.continent_name", ProcessSourceGeoContinentName, - "process.source.geo.country_iso_code", ProcessSourceGeoCountryIsoCode, - "process.source.geo.country_name", ProcessSourceGeoCountryName, - "process.source.geo.name", ProcessSourceGeoName, - "process.source.geo.postal_code", ProcessSourceGeoPostalCode, - "process.source.geo.region_iso_code", ProcessSourceGeoRegionIsoCode, - "process.source.geo.region_name", ProcessSourceGeoRegionName, - "process.source.geo.timezone", ProcessSourceGeoTimezone, - "process.source.user.domain", ProcessSourceUserDomain, - "process.source.user.email", ProcessSourceUserEmail, - "process.source.user.full_name", ProcessSourceUserFullName, - "process.source.user.hash", ProcessSourceUserHash, - "process.source.user.id", ProcessSourceUserId, - "process.source.user.name", ProcessSourceUserName, - "process.source.user.group.domain", ProcessSourceUserGroupDomain, - "process.source.user.group.id", ProcessSourceUserGroupId, - "process.source.user.group.name", ProcessSourceUserGroupName, - "process.source.user.risk.calculated_level", ProcessSourceUserRiskCalculatedLevel, - "process.source.user.risk.calculated_score", ProcessSourceUserRiskCalculatedScore, - "process.source.user.risk.calculated_score_norm", ProcessSourceUserRiskCalculatedScoreNorm, - "process.source.user.risk.static_level", ProcessSourceUserRiskStaticLevel, - "process.source.user.risk.static_score", ProcessSourceUserRiskStaticScore, - "process.source.user.risk.static_score_norm", ProcessSourceUserRiskStaticScoreNorm, - "process.source.user.user.domain", ProcessSourceUserUserDomain, - "process.source.user.user.email", ProcessSourceUserUserEmail, - "process.source.user.user.full_name", ProcessSourceUserUserFullName, - "process.source.user.user.hash", ProcessSourceUserUserHash, - "process.source.user.user.id", ProcessSourceUserUserId, - "process.source.user.user.name", ProcessSourceUserUserName, + "process.entry_meta.source.address", ProcessEntryMetaSourceAddress, + "process.entry_meta.source.bytes", ProcessEntryMetaSourceBytes, + "process.entry_meta.source.domain", ProcessEntryMetaSourceDomain, + "process.entry_meta.source.ip", ProcessEntryMetaSourceIp, + "process.entry_meta.source.mac", ProcessEntryMetaSourceMac, + "process.entry_meta.source.nat.ip", ProcessEntryMetaSourceNatIp, + "process.entry_meta.source.nat.port", ProcessEntryMetaSourceNatPort, + "process.entry_meta.source.packets", ProcessEntryMetaSourcePackets, + "process.entry_meta.source.port", ProcessEntryMetaSourcePort, + "process.entry_meta.source.registered_domain", ProcessEntryMetaSourceRegisteredDomain, + "process.entry_meta.source.subdomain", ProcessEntryMetaSourceSubdomain, + "process.entry_meta.source.top_level_domain", ProcessEntryMetaSourceTopLevelDomain, + "process.entry_meta.source.as.number", ProcessEntryMetaSourceAsNumber, + "process.entry_meta.source.as.organization.name", ProcessEntryMetaSourceAsOrganizationName, + "process.entry_meta.source.geo.city_name", ProcessEntryMetaSourceGeoCityName, + "process.entry_meta.source.geo.continent_code", ProcessEntryMetaSourceGeoContinentCode, + "process.entry_meta.source.geo.continent_name", ProcessEntryMetaSourceGeoContinentName, + "process.entry_meta.source.geo.country_iso_code", ProcessEntryMetaSourceGeoCountryIsoCode, + "process.entry_meta.source.geo.country_name", ProcessEntryMetaSourceGeoCountryName, + "process.entry_meta.source.geo.name", ProcessEntryMetaSourceGeoName, + "process.entry_meta.source.geo.postal_code", ProcessEntryMetaSourceGeoPostalCode, + "process.entry_meta.source.geo.region_iso_code", ProcessEntryMetaSourceGeoRegionIsoCode, + "process.entry_meta.source.geo.region_name", ProcessEntryMetaSourceGeoRegionName, + "process.entry_meta.source.geo.timezone", ProcessEntryMetaSourceGeoTimezone, + "process.entry_meta.source.user.domain", ProcessEntryMetaSourceUserDomain, + "process.entry_meta.source.user.email", ProcessEntryMetaSourceUserEmail, + "process.entry_meta.source.user.full_name", ProcessEntryMetaSourceUserFullName, + "process.entry_meta.source.user.hash", ProcessEntryMetaSourceUserHash, + "process.entry_meta.source.user.id", ProcessEntryMetaSourceUserId, + "process.entry_meta.source.user.name", ProcessEntryMetaSourceUserName, + "process.entry_meta.source.user.group.domain", ProcessEntryMetaSourceUserGroupDomain, + "process.entry_meta.source.user.group.id", ProcessEntryMetaSourceUserGroupId, + "process.entry_meta.source.user.group.name", ProcessEntryMetaSourceUserGroupName, + "process.entry_meta.source.user.risk.calculated_level", ProcessEntryMetaSourceUserRiskCalculatedLevel, + "process.entry_meta.source.user.risk.calculated_score", ProcessEntryMetaSourceUserRiskCalculatedScore, + "process.entry_meta.source.user.risk.calculated_score_norm", ProcessEntryMetaSourceUserRiskCalculatedScoreNorm, + "process.entry_meta.source.user.risk.static_level", ProcessEntryMetaSourceUserRiskStaticLevel, + "process.entry_meta.source.user.risk.static_score", ProcessEntryMetaSourceUserRiskStaticScore, + "process.entry_meta.source.user.risk.static_score_norm", ProcessEntryMetaSourceUserRiskStaticScoreNorm, + "process.entry_meta.source.user.target.user.domain", ProcessEntryMetaSourceUserTargetUserDomain, + "process.entry_meta.source.user.target.user.email", ProcessEntryMetaSourceUserTargetUserEmail, + "process.entry_meta.source.user.target.user.full_name", ProcessEntryMetaSourceUserTargetUserFullName, + "process.entry_meta.source.user.target.user.hash", ProcessEntryMetaSourceUserTargetUserHash, + "process.entry_meta.source.user.target.user.id", ProcessEntryMetaSourceUserTargetUserId, + "process.entry_meta.source.user.target.user.name", ProcessEntryMetaSourceUserTargetUserName, "process.user.domain", ProcessUserDomain, "process.user.email", ProcessUserEmail, "process.user.full_name", ProcessUserFullName, @@ -8443,114 +8443,114 @@ public static class LogTemplateProperties "process.user.risk.static_level", ProcessUserRiskStaticLevel, "process.user.risk.static_score", ProcessUserRiskStaticScore, "process.user.risk.static_score_norm", ProcessUserRiskStaticScoreNorm, - "process.user.user.domain", ProcessUserUserDomain, - "process.user.user.email", ProcessUserUserEmail, - "process.user.user.full_name", ProcessUserUserFullName, - "process.user.user.hash", ProcessUserUserHash, - "process.user.user.id", ProcessUserUserId, - "process.user.user.name", ProcessUserUserName, - "process.process.args_count", ProcessProcessArgsCount, - "process.process.command_line", ProcessProcessCommandLine, - "process.process.end", ProcessProcessEnd, - "process.process.entity_id", ProcessProcessEntityId, - "process.process.executable", ProcessProcessExecutable, - "process.process.exit_code", ProcessProcessExitCode, - "process.process.interactive", ProcessProcessInteractive, - "process.process.name", ProcessProcessName, - "process.process.pgid", ProcessProcessPgid, - "process.process.pid", ProcessProcessPid, - "process.process.start", ProcessProcessStart, - "process.process.thread.id", ProcessProcessThreadId, - "process.process.thread.name", ProcessProcessThreadName, - "process.process.title", ProcessProcessTitle, - "process.process.uptime", ProcessProcessUptime, - "process.process.vpid", ProcessProcessVpid, - "process.process.working_directory", ProcessProcessWorkingDirectory, - "process.process.parent.process.args_count", ProcessProcessParentProcessArgsCount, - "process.process.parent.process.command_line", ProcessProcessParentProcessCommandLine, - "process.process.parent.process.end", ProcessProcessParentProcessEnd, - "process.process.parent.process.entity_id", ProcessProcessParentProcessEntityId, - "process.process.parent.process.executable", ProcessProcessParentProcessExecutable, - "process.process.parent.process.exit_code", ProcessProcessParentProcessExitCode, - "process.process.parent.process.interactive", ProcessProcessParentProcessInteractive, - "process.process.parent.process.name", ProcessProcessParentProcessName, - "process.process.parent.process.pgid", ProcessProcessParentProcessPgid, - "process.process.parent.process.pid", ProcessProcessParentProcessPid, - "process.process.parent.process.start", ProcessProcessParentProcessStart, - "process.process.parent.process.thread.id", ProcessProcessParentProcessThreadId, - "process.process.parent.process.thread.name", ProcessProcessParentProcessThreadName, - "process.process.parent.process.title", ProcessProcessParentProcessTitle, - "process.process.parent.process.uptime", ProcessProcessParentProcessUptime, - "process.process.parent.process.vpid", ProcessProcessParentProcessVpid, - "process.process.parent.process.working_directory", ProcessProcessParentProcessWorkingDirectory, - "process.process.entry_leader.process.args_count", ProcessProcessEntryLeaderProcessArgsCount, - "process.process.entry_leader.process.command_line", ProcessProcessEntryLeaderProcessCommandLine, - "process.process.entry_leader.process.end", ProcessProcessEntryLeaderProcessEnd, - "process.process.entry_leader.process.entity_id", ProcessProcessEntryLeaderProcessEntityId, - "process.process.entry_leader.process.executable", ProcessProcessEntryLeaderProcessExecutable, - "process.process.entry_leader.process.exit_code", ProcessProcessEntryLeaderProcessExitCode, - "process.process.entry_leader.process.interactive", ProcessProcessEntryLeaderProcessInteractive, - "process.process.entry_leader.process.name", ProcessProcessEntryLeaderProcessName, - "process.process.entry_leader.process.pgid", ProcessProcessEntryLeaderProcessPgid, - "process.process.entry_leader.process.pid", ProcessProcessEntryLeaderProcessPid, - "process.process.entry_leader.process.start", ProcessProcessEntryLeaderProcessStart, - "process.process.entry_leader.process.thread.id", ProcessProcessEntryLeaderProcessThreadId, - "process.process.entry_leader.process.thread.name", ProcessProcessEntryLeaderProcessThreadName, - "process.process.entry_leader.process.title", ProcessProcessEntryLeaderProcessTitle, - "process.process.entry_leader.process.uptime", ProcessProcessEntryLeaderProcessUptime, - "process.process.entry_leader.process.vpid", ProcessProcessEntryLeaderProcessVpid, - "process.process.entry_leader.process.working_directory", ProcessProcessEntryLeaderProcessWorkingDirectory, - "process.process.entry_leader.process.entry_leader.parent.process.args_count", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount, - "process.process.entry_leader.process.entry_leader.parent.process.command_line", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine, - "process.process.entry_leader.process.entry_leader.parent.process.end", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd, - "process.process.entry_leader.process.entry_leader.parent.process.entity_id", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId, - "process.process.entry_leader.process.entry_leader.parent.process.executable", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable, - "process.process.entry_leader.process.entry_leader.parent.process.exit_code", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode, - "process.process.entry_leader.process.entry_leader.parent.process.interactive", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive, - "process.process.entry_leader.process.entry_leader.parent.process.name", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName, - "process.process.entry_leader.process.entry_leader.parent.process.pgid", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid, - "process.process.entry_leader.process.entry_leader.parent.process.pid", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid, - "process.process.entry_leader.process.entry_leader.parent.process.start", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart, - "process.process.entry_leader.process.entry_leader.parent.process.thread.id", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId, - "process.process.entry_leader.process.entry_leader.parent.process.thread.name", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName, - "process.process.entry_leader.process.entry_leader.parent.process.title", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle, - "process.process.entry_leader.process.entry_leader.parent.process.uptime", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime, - "process.process.entry_leader.process.entry_leader.parent.process.vpid", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid, - "process.process.entry_leader.process.entry_leader.parent.process.working_directory", ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory, - "process.process.session_leader.process.args_count", ProcessProcessSessionLeaderProcessArgsCount, - "process.process.session_leader.process.command_line", ProcessProcessSessionLeaderProcessCommandLine, - "process.process.session_leader.process.end", ProcessProcessSessionLeaderProcessEnd, - "process.process.session_leader.process.entity_id", ProcessProcessSessionLeaderProcessEntityId, - "process.process.session_leader.process.executable", ProcessProcessSessionLeaderProcessExecutable, - "process.process.session_leader.process.exit_code", ProcessProcessSessionLeaderProcessExitCode, - "process.process.session_leader.process.interactive", ProcessProcessSessionLeaderProcessInteractive, - "process.process.session_leader.process.name", ProcessProcessSessionLeaderProcessName, - "process.process.session_leader.process.pgid", ProcessProcessSessionLeaderProcessPgid, - "process.process.session_leader.process.pid", ProcessProcessSessionLeaderProcessPid, - "process.process.session_leader.process.start", ProcessProcessSessionLeaderProcessStart, - "process.process.session_leader.process.thread.id", ProcessProcessSessionLeaderProcessThreadId, - "process.process.session_leader.process.thread.name", ProcessProcessSessionLeaderProcessThreadName, - "process.process.session_leader.process.title", ProcessProcessSessionLeaderProcessTitle, - "process.process.session_leader.process.uptime", ProcessProcessSessionLeaderProcessUptime, - "process.process.session_leader.process.vpid", ProcessProcessSessionLeaderProcessVpid, - "process.process.session_leader.process.working_directory", ProcessProcessSessionLeaderProcessWorkingDirectory, - "process.process.session_leader.process.session_leader.parent.process.args_count", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount, - "process.process.session_leader.process.session_leader.parent.process.command_line", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine, - "process.process.session_leader.process.session_leader.parent.process.end", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd, - "process.process.session_leader.process.session_leader.parent.process.entity_id", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId, - "process.process.session_leader.process.session_leader.parent.process.executable", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable, - "process.process.session_leader.process.session_leader.parent.process.exit_code", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode, - "process.process.session_leader.process.session_leader.parent.process.interactive", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive, - "process.process.session_leader.process.session_leader.parent.process.name", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName, - "process.process.session_leader.process.session_leader.parent.process.pgid", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid, - "process.process.session_leader.process.session_leader.parent.process.pid", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid, - "process.process.session_leader.process.session_leader.parent.process.start", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart, - "process.process.session_leader.process.session_leader.parent.process.thread.id", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId, - "process.process.session_leader.process.session_leader.parent.process.thread.name", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName, - "process.process.session_leader.process.session_leader.parent.process.title", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle, - "process.process.session_leader.process.session_leader.parent.process.uptime", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime, - "process.process.session_leader.process.session_leader.parent.process.vpid", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid, - "process.process.session_leader.process.session_leader.parent.process.working_directory", ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory, + "process.user.target.user.domain", ProcessUserTargetUserDomain, + "process.user.target.user.email", ProcessUserTargetUserEmail, + "process.user.target.user.full_name", ProcessUserTargetUserFullName, + "process.user.target.user.hash", ProcessUserTargetUserHash, + "process.user.target.user.id", ProcessUserTargetUserId, + "process.user.target.user.name", ProcessUserTargetUserName, + "parent.process.args_count", ParentProcessArgsCount, + "parent.process.command_line", ParentProcessCommandLine, + "parent.process.end", ParentProcessEnd, + "parent.process.entity_id", ParentProcessEntityId, + "parent.process.executable", ParentProcessExecutable, + "parent.process.exit_code", ParentProcessExitCode, + "parent.process.interactive", ParentProcessInteractive, + "parent.process.name", ParentProcessName, + "parent.process.pgid", ParentProcessPgid, + "parent.process.pid", ParentProcessPid, + "parent.process.start", ParentProcessStart, + "parent.process.thread.id", ParentProcessThreadId, + "parent.process.thread.name", ParentProcessThreadName, + "parent.process.title", ParentProcessTitle, + "parent.process.uptime", ParentProcessUptime, + "parent.process.vpid", ParentProcessVpid, + "parent.process.working_directory", ParentProcessWorkingDirectory, + "process.parent.group_leader.process.args_count", ProcessParentGroupLeaderProcessArgsCount, + "process.parent.group_leader.process.command_line", ProcessParentGroupLeaderProcessCommandLine, + "process.parent.group_leader.process.end", ProcessParentGroupLeaderProcessEnd, + "process.parent.group_leader.process.entity_id", ProcessParentGroupLeaderProcessEntityId, + "process.parent.group_leader.process.executable", ProcessParentGroupLeaderProcessExecutable, + "process.parent.group_leader.process.exit_code", ProcessParentGroupLeaderProcessExitCode, + "process.parent.group_leader.process.interactive", ProcessParentGroupLeaderProcessInteractive, + "process.parent.group_leader.process.name", ProcessParentGroupLeaderProcessName, + "process.parent.group_leader.process.pgid", ProcessParentGroupLeaderProcessPgid, + "process.parent.group_leader.process.pid", ProcessParentGroupLeaderProcessPid, + "process.parent.group_leader.process.start", ProcessParentGroupLeaderProcessStart, + "process.parent.group_leader.process.thread.id", ProcessParentGroupLeaderProcessThreadId, + "process.parent.group_leader.process.thread.name", ProcessParentGroupLeaderProcessThreadName, + "process.parent.group_leader.process.title", ProcessParentGroupLeaderProcessTitle, + "process.parent.group_leader.process.uptime", ProcessParentGroupLeaderProcessUptime, + "process.parent.group_leader.process.vpid", ProcessParentGroupLeaderProcessVpid, + "process.parent.group_leader.process.working_directory", ProcessParentGroupLeaderProcessWorkingDirectory, + "process.entry_leader.parent.process.args_count", ProcessEntryLeaderParentProcessArgsCount, + "process.entry_leader.parent.process.command_line", ProcessEntryLeaderParentProcessCommandLine, + "process.entry_leader.parent.process.end", ProcessEntryLeaderParentProcessEnd, + "process.entry_leader.parent.process.entity_id", ProcessEntryLeaderParentProcessEntityId, + "process.entry_leader.parent.process.executable", ProcessEntryLeaderParentProcessExecutable, + "process.entry_leader.parent.process.exit_code", ProcessEntryLeaderParentProcessExitCode, + "process.entry_leader.parent.process.interactive", ProcessEntryLeaderParentProcessInteractive, + "process.entry_leader.parent.process.name", ProcessEntryLeaderParentProcessName, + "process.entry_leader.parent.process.pgid", ProcessEntryLeaderParentProcessPgid, + "process.entry_leader.parent.process.pid", ProcessEntryLeaderParentProcessPid, + "process.entry_leader.parent.process.start", ProcessEntryLeaderParentProcessStart, + "process.entry_leader.parent.process.thread.id", ProcessEntryLeaderParentProcessThreadId, + "process.entry_leader.parent.process.thread.name", ProcessEntryLeaderParentProcessThreadName, + "process.entry_leader.parent.process.title", ProcessEntryLeaderParentProcessTitle, + "process.entry_leader.parent.process.uptime", ProcessEntryLeaderParentProcessUptime, + "process.entry_leader.parent.process.vpid", ProcessEntryLeaderParentProcessVpid, + "process.entry_leader.parent.process.working_directory", ProcessEntryLeaderParentProcessWorkingDirectory, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.args_count", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.command_line", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.end", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.entity_id", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.executable", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.exit_code", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.interactive", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.name", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.pgid", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.pid", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.start", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.id", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.name", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.title", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.uptime", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.vpid", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid, + "entry_leader.process.parent.entry_leader.parent.session_leader.process.working_directory", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory, + "process.session_leader.parent.process.args_count", ProcessSessionLeaderParentProcessArgsCount, + "process.session_leader.parent.process.command_line", ProcessSessionLeaderParentProcessCommandLine, + "process.session_leader.parent.process.end", ProcessSessionLeaderParentProcessEnd, + "process.session_leader.parent.process.entity_id", ProcessSessionLeaderParentProcessEntityId, + "process.session_leader.parent.process.executable", ProcessSessionLeaderParentProcessExecutable, + "process.session_leader.parent.process.exit_code", ProcessSessionLeaderParentProcessExitCode, + "process.session_leader.parent.process.interactive", ProcessSessionLeaderParentProcessInteractive, + "process.session_leader.parent.process.name", ProcessSessionLeaderParentProcessName, + "process.session_leader.parent.process.pgid", ProcessSessionLeaderParentProcessPgid, + "process.session_leader.parent.process.pid", ProcessSessionLeaderParentProcessPid, + "process.session_leader.parent.process.start", ProcessSessionLeaderParentProcessStart, + "process.session_leader.parent.process.thread.id", ProcessSessionLeaderParentProcessThreadId, + "process.session_leader.parent.process.thread.name", ProcessSessionLeaderParentProcessThreadName, + "process.session_leader.parent.process.title", ProcessSessionLeaderParentProcessTitle, + "process.session_leader.parent.process.uptime", ProcessSessionLeaderParentProcessUptime, + "process.session_leader.parent.process.vpid", ProcessSessionLeaderParentProcessVpid, + "process.session_leader.parent.process.working_directory", ProcessSessionLeaderParentProcessWorkingDirectory, + "session_leader.process.parent.session_leader.parent.session_leader.process.args_count", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount, + "session_leader.process.parent.session_leader.parent.session_leader.process.command_line", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine, + "session_leader.process.parent.session_leader.parent.session_leader.process.end", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd, + "session_leader.process.parent.session_leader.parent.session_leader.process.entity_id", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId, + "session_leader.process.parent.session_leader.parent.session_leader.process.executable", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable, + "session_leader.process.parent.session_leader.parent.session_leader.process.exit_code", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode, + "session_leader.process.parent.session_leader.parent.session_leader.process.interactive", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive, + "session_leader.process.parent.session_leader.parent.session_leader.process.name", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName, + "session_leader.process.parent.session_leader.parent.session_leader.process.pgid", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid, + "session_leader.process.parent.session_leader.parent.session_leader.process.pid", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid, + "session_leader.process.parent.session_leader.parent.session_leader.process.start", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart, + "session_leader.process.parent.session_leader.parent.session_leader.process.thread.id", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId, + "session_leader.process.parent.session_leader.parent.session_leader.process.thread.name", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName, + "session_leader.process.parent.session_leader.parent.session_leader.process.title", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle, + "session_leader.process.parent.session_leader.parent.session_leader.process.uptime", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime, + "session_leader.process.parent.session_leader.parent.session_leader.process.vpid", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid, + "session_leader.process.parent.session_leader.parent.session_leader.process.working_directory", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory, "registry.data.bytes", RegistryDataBytes, "registry.data.type", RegistryDataType, "registry.hive", RegistryHive, @@ -8611,12 +8611,12 @@ public static class LogTemplateProperties "server.user.risk.static_level", ServerUserRiskStaticLevel, "server.user.risk.static_score", ServerUserRiskStaticScore, "server.user.risk.static_score_norm", ServerUserRiskStaticScoreNorm, - "server.user.user.domain", ServerUserUserDomain, - "server.user.user.email", ServerUserUserEmail, - "server.user.user.full_name", ServerUserUserFullName, - "server.user.user.hash", ServerUserUserHash, - "server.user.user.id", ServerUserUserId, - "server.user.user.name", ServerUserUserName, + "server.user.target.user.domain", ServerUserTargetUserDomain, + "server.user.target.user.email", ServerUserTargetUserEmail, + "server.user.target.user.full_name", ServerUserTargetUserFullName, + "server.user.target.user.hash", ServerUserTargetUserHash, + "server.user.target.user.id", ServerUserTargetUserId, + "server.user.target.user.name", ServerUserTargetUserName, "service.address", ServiceAddress, "service.environment", ServiceEnvironment, "service.ephemeral_id", ServiceEphemeralId, @@ -8627,16 +8627,16 @@ public static class LogTemplateProperties "service.state", ServiceState, "service.type", ServiceType, "service.version", ServiceVersion, - "service.service.address", ServiceServiceAddress, - "service.service.environment", ServiceServiceEnvironment, - "service.service.ephemeral_id", ServiceServiceEphemeralId, - "service.service.id", ServiceServiceId, - "service.service.name", ServiceServiceName, - "service.service.node.name", ServiceServiceNodeName, - "service.service.node.role", ServiceServiceNodeRole, - "service.service.state", ServiceServiceState, - "service.service.type", ServiceServiceType, - "service.service.version", ServiceServiceVersion, + "origin.service.address", OriginServiceAddress, + "origin.service.environment", OriginServiceEnvironment, + "origin.service.ephemeral_id", OriginServiceEphemeralId, + "origin.service.id", OriginServiceId, + "origin.service.name", OriginServiceName, + "origin.service.node.name", OriginServiceNodeName, + "origin.service.node.role", OriginServiceNodeRole, + "origin.service.state", OriginServiceState, + "origin.service.type", OriginServiceType, + "origin.service.version", OriginServiceVersion, "source.address", SourceAddress, "source.bytes", SourceBytes, "source.domain", SourceDomain, @@ -8676,12 +8676,12 @@ public static class LogTemplateProperties "source.user.risk.static_level", SourceUserRiskStaticLevel, "source.user.risk.static_score", SourceUserRiskStaticScore, "source.user.risk.static_score_norm", SourceUserRiskStaticScoreNorm, - "source.user.user.domain", SourceUserUserDomain, - "source.user.user.email", SourceUserUserEmail, - "source.user.user.full_name", SourceUserUserFullName, - "source.user.user.hash", SourceUserUserHash, - "source.user.user.id", SourceUserUserId, - "source.user.user.name", SourceUserUserName, + "source.user.target.user.domain", SourceUserTargetUserDomain, + "source.user.target.user.email", SourceUserTargetUserEmail, + "source.user.target.user.full_name", SourceUserTargetUserFullName, + "source.user.target.user.hash", SourceUserTargetUserHash, + "source.user.target.user.id", SourceUserTargetUserId, + "source.user.target.user.name", SourceUserTargetUserName, "threat.feed.dashboard_id", ThreatFeedDashboardId, "threat.feed.description", ThreatFeedDescription, "threat.feed.name", ThreatFeedName, @@ -8710,143 +8710,143 @@ public static class LogTemplateProperties "threat.software.name", ThreatSoftwareName, "threat.software.reference", ThreatSoftwareReference, "threat.software.type", ThreatSoftwareType, - "threat.x509.issuer.distinguished_name", ThreatX509IssuerDistinguishedName, - "threat.x509.not_after", ThreatX509NotAfter, - "threat.x509.not_before", ThreatX509NotBefore, - "threat.x509.public_key_algorithm", ThreatX509PublicKeyAlgorithm, - "threat.x509.public_key_curve", ThreatX509PublicKeyCurve, - "threat.x509.public_key_exponent", ThreatX509PublicKeyExponent, - "threat.x509.public_key_size", ThreatX509PublicKeySize, - "threat.x509.serial_number", ThreatX509SerialNumber, - "threat.x509.signature_algorithm", ThreatX509SignatureAlgorithm, - "threat.x509.subject.distinguished_name", ThreatX509SubjectDistinguishedName, - "threat.x509.version_number", ThreatX509VersionNumber, - "threat.as.number", ThreatAsNumber, - "threat.as.organization.name", ThreatAsOrganizationName, - "threat.file.accessed", ThreatFileAccessed, - "threat.file.created", ThreatFileCreated, - "threat.file.ctime", ThreatFileCtime, - "threat.file.device", ThreatFileDevice, - "threat.file.directory", ThreatFileDirectory, - "threat.file.drive_letter", ThreatFileDriveLetter, - "threat.file.extension", ThreatFileExtension, - "threat.file.fork_name", ThreatFileForkName, - "threat.file.gid", ThreatFileGid, - "threat.file.group", ThreatFileGroup, - "threat.file.inode", ThreatFileInode, - "threat.file.mime_type", ThreatFileMimeType, - "threat.file.mode", ThreatFileMode, - "threat.file.mtime", ThreatFileMtime, - "threat.file.name", ThreatFileName, - "threat.file.owner", ThreatFileOwner, - "threat.file.path", ThreatFilePath, - "threat.file.size", ThreatFileSize, - "threat.file.target_path", ThreatFileTargetPath, - "threat.file.type", ThreatFileType, - "threat.file.uid", ThreatFileUid, - "threat.file.hash.md5", ThreatFileHashMd5, - "threat.file.hash.sha1", ThreatFileHashSha1, - "threat.file.hash.sha256", ThreatFileHashSha256, - "threat.file.hash.sha384", ThreatFileHashSha384, - "threat.file.hash.sha512", ThreatFileHashSha512, - "threat.file.hash.ssdeep", ThreatFileHashSsdeep, - "threat.file.hash.tlsh", ThreatFileHashTlsh, - "threat.file.pe.architecture", ThreatFilePeArchitecture, - "threat.file.pe.company", ThreatFilePeCompany, - "threat.file.pe.description", ThreatFilePeDescription, - "threat.file.pe.file_version", ThreatFilePeFileVersion, - "threat.file.pe.go_import_hash", ThreatFilePeGoImportHash, - "threat.file.pe.go_imports", ThreatFilePeGoImports, - "threat.file.pe.go_imports_names_entropy", ThreatFilePeGoImportsNamesEntropy, - "threat.file.pe.go_imports_names_var_entropy", ThreatFilePeGoImportsNamesVarEntropy, - "threat.file.pe.go_stripped", ThreatFilePeGoStripped, - "threat.file.pe.imphash", ThreatFilePeImphash, - "threat.file.pe.import_hash", ThreatFilePeImportHash, - "threat.file.pe.imports_names_entropy", ThreatFilePeImportsNamesEntropy, - "threat.file.pe.imports_names_var_entropy", ThreatFilePeImportsNamesVarEntropy, - "threat.file.pe.original_file_name", ThreatFilePeOriginalFileName, - "threat.file.pe.pehash", ThreatFilePePehash, - "threat.file.pe.product", ThreatFilePeProduct, - "threat.file.x509.issuer.distinguished_name", ThreatFileX509IssuerDistinguishedName, - "threat.file.x509.not_after", ThreatFileX509NotAfter, - "threat.file.x509.not_before", ThreatFileX509NotBefore, - "threat.file.x509.public_key_algorithm", ThreatFileX509PublicKeyAlgorithm, - "threat.file.x509.public_key_curve", ThreatFileX509PublicKeyCurve, - "threat.file.x509.public_key_exponent", ThreatFileX509PublicKeyExponent, - "threat.file.x509.public_key_size", ThreatFileX509PublicKeySize, - "threat.file.x509.serial_number", ThreatFileX509SerialNumber, - "threat.file.x509.signature_algorithm", ThreatFileX509SignatureAlgorithm, - "threat.file.x509.subject.distinguished_name", ThreatFileX509SubjectDistinguishedName, - "threat.file.x509.version_number", ThreatFileX509VersionNumber, - "threat.file.code_signature.digest_algorithm", ThreatFileCodeSignatureDigestAlgorithm, - "threat.file.code_signature.exists", ThreatFileCodeSignatureExists, - "threat.file.code_signature.signing_id", ThreatFileCodeSignatureSigningId, - "threat.file.code_signature.status", ThreatFileCodeSignatureStatus, - "threat.file.code_signature.subject_name", ThreatFileCodeSignatureSubjectName, - "threat.file.code_signature.team_id", ThreatFileCodeSignatureTeamId, - "threat.file.code_signature.timestamp", ThreatFileCodeSignatureTimestamp, - "threat.file.code_signature.trusted", ThreatFileCodeSignatureTrusted, - "threat.file.code_signature.valid", ThreatFileCodeSignatureValid, - "threat.file.elf.architecture", ThreatFileElfArchitecture, - "threat.file.elf.byte_order", ThreatFileElfByteOrder, - "threat.file.elf.cpu_type", ThreatFileElfCpuType, - "threat.file.elf.creation_date", ThreatFileElfCreationDate, - "threat.file.elf.go_import_hash", ThreatFileElfGoImportHash, - "threat.file.elf.go_imports", ThreatFileElfGoImports, - "threat.file.elf.go_imports_names_entropy", ThreatFileElfGoImportsNamesEntropy, - "threat.file.elf.go_imports_names_var_entropy", ThreatFileElfGoImportsNamesVarEntropy, - "threat.file.elf.go_stripped", ThreatFileElfGoStripped, - "threat.file.elf.header.abi_version", ThreatFileElfHeaderAbiVersion, - "threat.file.elf.header.class", ThreatFileElfHeaderClass, - "threat.file.elf.header.data", ThreatFileElfHeaderData, - "threat.file.elf.header.entrypoint", ThreatFileElfHeaderEntrypoint, - "threat.file.elf.header.object_version", ThreatFileElfHeaderObjectVersion, - "threat.file.elf.header.os_abi", ThreatFileElfHeaderOsAbi, - "threat.file.elf.header.type", ThreatFileElfHeaderType, - "threat.file.elf.header.version", ThreatFileElfHeaderVersion, - "threat.file.elf.import_hash", ThreatFileElfImportHash, - "threat.file.elf.imports_names_entropy", ThreatFileElfImportsNamesEntropy, - "threat.file.elf.imports_names_var_entropy", ThreatFileElfImportsNamesVarEntropy, - "threat.file.elf.telfhash", ThreatFileElfTelfhash, - "threat.file.macho.go_import_hash", ThreatFileMachoGoImportHash, - "threat.file.macho.go_imports", ThreatFileMachoGoImports, - "threat.file.macho.go_imports_names_entropy", ThreatFileMachoGoImportsNamesEntropy, - "threat.file.macho.go_imports_names_var_entropy", ThreatFileMachoGoImportsNamesVarEntropy, - "threat.file.macho.go_stripped", ThreatFileMachoGoStripped, - "threat.file.macho.import_hash", ThreatFileMachoImportHash, - "threat.file.macho.imports_names_entropy", ThreatFileMachoImportsNamesEntropy, - "threat.file.macho.imports_names_var_entropy", ThreatFileMachoImportsNamesVarEntropy, - "threat.file.macho.symhash", ThreatFileMachoSymhash, - "threat.geo.city_name", ThreatGeoCityName, - "threat.geo.continent_code", ThreatGeoContinentCode, - "threat.geo.continent_name", ThreatGeoContinentName, - "threat.geo.country_iso_code", ThreatGeoCountryIsoCode, - "threat.geo.country_name", ThreatGeoCountryName, - "threat.geo.name", ThreatGeoName, - "threat.geo.postal_code", ThreatGeoPostalCode, - "threat.geo.region_iso_code", ThreatGeoRegionIsoCode, - "threat.geo.region_name", ThreatGeoRegionName, - "threat.geo.timezone", ThreatGeoTimezone, - "threat.registry.data.bytes", ThreatRegistryDataBytes, - "threat.registry.data.type", ThreatRegistryDataType, - "threat.registry.hive", ThreatRegistryHive, - "threat.registry.key", ThreatRegistryKey, - "threat.registry.path", ThreatRegistryPath, - "threat.registry.value", ThreatRegistryValue, - "threat.url.domain", ThreatUrlDomain, - "threat.url.extension", ThreatUrlExtension, - "threat.url.fragment", ThreatUrlFragment, - "threat.url.full", ThreatUrlFull, - "threat.url.original", ThreatUrlOriginal, - "threat.url.password", ThreatUrlPassword, - "threat.url.path", ThreatUrlPath, - "threat.url.port", ThreatUrlPort, - "threat.url.query", ThreatUrlQuery, - "threat.url.registered_domain", ThreatUrlRegisteredDomain, - "threat.url.scheme", ThreatUrlScheme, - "threat.url.subdomain", ThreatUrlSubdomain, - "threat.url.top_level_domain", ThreatUrlTopLevelDomain, - "threat.url.username", ThreatUrlUsername, + "threat.indicator.x509.issuer.distinguished_name", ThreatIndicatorX509IssuerDistinguishedName, + "threat.indicator.x509.not_after", ThreatIndicatorX509NotAfter, + "threat.indicator.x509.not_before", ThreatIndicatorX509NotBefore, + "threat.indicator.x509.public_key_algorithm", ThreatIndicatorX509PublicKeyAlgorithm, + "threat.indicator.x509.public_key_curve", ThreatIndicatorX509PublicKeyCurve, + "threat.indicator.x509.public_key_exponent", ThreatIndicatorX509PublicKeyExponent, + "threat.indicator.x509.public_key_size", ThreatIndicatorX509PublicKeySize, + "threat.indicator.x509.serial_number", ThreatIndicatorX509SerialNumber, + "threat.indicator.x509.signature_algorithm", ThreatIndicatorX509SignatureAlgorithm, + "threat.indicator.x509.subject.distinguished_name", ThreatIndicatorX509SubjectDistinguishedName, + "threat.indicator.x509.version_number", ThreatIndicatorX509VersionNumber, + "threat.indicator.as.number", ThreatIndicatorAsNumber, + "threat.indicator.as.organization.name", ThreatIndicatorAsOrganizationName, + "threat.indicator.file.accessed", ThreatIndicatorFileAccessed, + "threat.indicator.file.created", ThreatIndicatorFileCreated, + "threat.indicator.file.ctime", ThreatIndicatorFileCtime, + "threat.indicator.file.device", ThreatIndicatorFileDevice, + "threat.indicator.file.directory", ThreatIndicatorFileDirectory, + "threat.indicator.file.drive_letter", ThreatIndicatorFileDriveLetter, + "threat.indicator.file.extension", ThreatIndicatorFileExtension, + "threat.indicator.file.fork_name", ThreatIndicatorFileForkName, + "threat.indicator.file.gid", ThreatIndicatorFileGid, + "threat.indicator.file.group", ThreatIndicatorFileGroup, + "threat.indicator.file.inode", ThreatIndicatorFileInode, + "threat.indicator.file.mime_type", ThreatIndicatorFileMimeType, + "threat.indicator.file.mode", ThreatIndicatorFileMode, + "threat.indicator.file.mtime", ThreatIndicatorFileMtime, + "threat.indicator.file.name", ThreatIndicatorFileName, + "threat.indicator.file.owner", ThreatIndicatorFileOwner, + "threat.indicator.file.path", ThreatIndicatorFilePath, + "threat.indicator.file.size", ThreatIndicatorFileSize, + "threat.indicator.file.target_path", ThreatIndicatorFileTargetPath, + "threat.indicator.file.type", ThreatIndicatorFileType, + "threat.indicator.file.uid", ThreatIndicatorFileUid, + "threat.indicator.file.hash.md5", ThreatIndicatorFileHashMd5, + "threat.indicator.file.hash.sha1", ThreatIndicatorFileHashSha1, + "threat.indicator.file.hash.sha256", ThreatIndicatorFileHashSha256, + "threat.indicator.file.hash.sha384", ThreatIndicatorFileHashSha384, + "threat.indicator.file.hash.sha512", ThreatIndicatorFileHashSha512, + "threat.indicator.file.hash.ssdeep", ThreatIndicatorFileHashSsdeep, + "threat.indicator.file.hash.tlsh", ThreatIndicatorFileHashTlsh, + "threat.indicator.file.pe.architecture", ThreatIndicatorFilePeArchitecture, + "threat.indicator.file.pe.company", ThreatIndicatorFilePeCompany, + "threat.indicator.file.pe.description", ThreatIndicatorFilePeDescription, + "threat.indicator.file.pe.file_version", ThreatIndicatorFilePeFileVersion, + "threat.indicator.file.pe.go_import_hash", ThreatIndicatorFilePeGoImportHash, + "threat.indicator.file.pe.go_imports", ThreatIndicatorFilePeGoImports, + "threat.indicator.file.pe.go_imports_names_entropy", ThreatIndicatorFilePeGoImportsNamesEntropy, + "threat.indicator.file.pe.go_imports_names_var_entropy", ThreatIndicatorFilePeGoImportsNamesVarEntropy, + "threat.indicator.file.pe.go_stripped", ThreatIndicatorFilePeGoStripped, + "threat.indicator.file.pe.imphash", ThreatIndicatorFilePeImphash, + "threat.indicator.file.pe.import_hash", ThreatIndicatorFilePeImportHash, + "threat.indicator.file.pe.imports_names_entropy", ThreatIndicatorFilePeImportsNamesEntropy, + "threat.indicator.file.pe.imports_names_var_entropy", ThreatIndicatorFilePeImportsNamesVarEntropy, + "threat.indicator.file.pe.original_file_name", ThreatIndicatorFilePeOriginalFileName, + "threat.indicator.file.pe.pehash", ThreatIndicatorFilePePehash, + "threat.indicator.file.pe.product", ThreatIndicatorFilePeProduct, + "threat.indicator.file.x509.issuer.distinguished_name", ThreatIndicatorFileX509IssuerDistinguishedName, + "threat.indicator.file.x509.not_after", ThreatIndicatorFileX509NotAfter, + "threat.indicator.file.x509.not_before", ThreatIndicatorFileX509NotBefore, + "threat.indicator.file.x509.public_key_algorithm", ThreatIndicatorFileX509PublicKeyAlgorithm, + "threat.indicator.file.x509.public_key_curve", ThreatIndicatorFileX509PublicKeyCurve, + "threat.indicator.file.x509.public_key_exponent", ThreatIndicatorFileX509PublicKeyExponent, + "threat.indicator.file.x509.public_key_size", ThreatIndicatorFileX509PublicKeySize, + "threat.indicator.file.x509.serial_number", ThreatIndicatorFileX509SerialNumber, + "threat.indicator.file.x509.signature_algorithm", ThreatIndicatorFileX509SignatureAlgorithm, + "threat.indicator.file.x509.subject.distinguished_name", ThreatIndicatorFileX509SubjectDistinguishedName, + "threat.indicator.file.x509.version_number", ThreatIndicatorFileX509VersionNumber, + "threat.indicator.file.code_signature.digest_algorithm", ThreatIndicatorFileCodeSignatureDigestAlgorithm, + "threat.indicator.file.code_signature.exists", ThreatIndicatorFileCodeSignatureExists, + "threat.indicator.file.code_signature.signing_id", ThreatIndicatorFileCodeSignatureSigningId, + "threat.indicator.file.code_signature.status", ThreatIndicatorFileCodeSignatureStatus, + "threat.indicator.file.code_signature.subject_name", ThreatIndicatorFileCodeSignatureSubjectName, + "threat.indicator.file.code_signature.team_id", ThreatIndicatorFileCodeSignatureTeamId, + "threat.indicator.file.code_signature.timestamp", ThreatIndicatorFileCodeSignatureTimestamp, + "threat.indicator.file.code_signature.trusted", ThreatIndicatorFileCodeSignatureTrusted, + "threat.indicator.file.code_signature.valid", ThreatIndicatorFileCodeSignatureValid, + "threat.indicator.file.elf.architecture", ThreatIndicatorFileElfArchitecture, + "threat.indicator.file.elf.byte_order", ThreatIndicatorFileElfByteOrder, + "threat.indicator.file.elf.cpu_type", ThreatIndicatorFileElfCpuType, + "threat.indicator.file.elf.creation_date", ThreatIndicatorFileElfCreationDate, + "threat.indicator.file.elf.go_import_hash", ThreatIndicatorFileElfGoImportHash, + "threat.indicator.file.elf.go_imports", ThreatIndicatorFileElfGoImports, + "threat.indicator.file.elf.go_imports_names_entropy", ThreatIndicatorFileElfGoImportsNamesEntropy, + "threat.indicator.file.elf.go_imports_names_var_entropy", ThreatIndicatorFileElfGoImportsNamesVarEntropy, + "threat.indicator.file.elf.go_stripped", ThreatIndicatorFileElfGoStripped, + "threat.indicator.file.elf.header.abi_version", ThreatIndicatorFileElfHeaderAbiVersion, + "threat.indicator.file.elf.header.class", ThreatIndicatorFileElfHeaderClass, + "threat.indicator.file.elf.header.data", ThreatIndicatorFileElfHeaderData, + "threat.indicator.file.elf.header.entrypoint", ThreatIndicatorFileElfHeaderEntrypoint, + "threat.indicator.file.elf.header.object_version", ThreatIndicatorFileElfHeaderObjectVersion, + "threat.indicator.file.elf.header.os_abi", ThreatIndicatorFileElfHeaderOsAbi, + "threat.indicator.file.elf.header.type", ThreatIndicatorFileElfHeaderType, + "threat.indicator.file.elf.header.version", ThreatIndicatorFileElfHeaderVersion, + "threat.indicator.file.elf.import_hash", ThreatIndicatorFileElfImportHash, + "threat.indicator.file.elf.imports_names_entropy", ThreatIndicatorFileElfImportsNamesEntropy, + "threat.indicator.file.elf.imports_names_var_entropy", ThreatIndicatorFileElfImportsNamesVarEntropy, + "threat.indicator.file.elf.telfhash", ThreatIndicatorFileElfTelfhash, + "threat.indicator.file.macho.go_import_hash", ThreatIndicatorFileMachoGoImportHash, + "threat.indicator.file.macho.go_imports", ThreatIndicatorFileMachoGoImports, + "threat.indicator.file.macho.go_imports_names_entropy", ThreatIndicatorFileMachoGoImportsNamesEntropy, + "threat.indicator.file.macho.go_imports_names_var_entropy", ThreatIndicatorFileMachoGoImportsNamesVarEntropy, + "threat.indicator.file.macho.go_stripped", ThreatIndicatorFileMachoGoStripped, + "threat.indicator.file.macho.import_hash", ThreatIndicatorFileMachoImportHash, + "threat.indicator.file.macho.imports_names_entropy", ThreatIndicatorFileMachoImportsNamesEntropy, + "threat.indicator.file.macho.imports_names_var_entropy", ThreatIndicatorFileMachoImportsNamesVarEntropy, + "threat.indicator.file.macho.symhash", ThreatIndicatorFileMachoSymhash, + "threat.indicator.geo.city_name", ThreatIndicatorGeoCityName, + "threat.indicator.geo.continent_code", ThreatIndicatorGeoContinentCode, + "threat.indicator.geo.continent_name", ThreatIndicatorGeoContinentName, + "threat.indicator.geo.country_iso_code", ThreatIndicatorGeoCountryIsoCode, + "threat.indicator.geo.country_name", ThreatIndicatorGeoCountryName, + "threat.indicator.geo.name", ThreatIndicatorGeoName, + "threat.indicator.geo.postal_code", ThreatIndicatorGeoPostalCode, + "threat.indicator.geo.region_iso_code", ThreatIndicatorGeoRegionIsoCode, + "threat.indicator.geo.region_name", ThreatIndicatorGeoRegionName, + "threat.indicator.geo.timezone", ThreatIndicatorGeoTimezone, + "threat.indicator.registry.data.bytes", ThreatIndicatorRegistryDataBytes, + "threat.indicator.registry.data.type", ThreatIndicatorRegistryDataType, + "threat.indicator.registry.hive", ThreatIndicatorRegistryHive, + "threat.indicator.registry.key", ThreatIndicatorRegistryKey, + "threat.indicator.registry.path", ThreatIndicatorRegistryPath, + "threat.indicator.registry.value", ThreatIndicatorRegistryValue, + "threat.indicator.url.domain", ThreatIndicatorUrlDomain, + "threat.indicator.url.extension", ThreatIndicatorUrlExtension, + "threat.indicator.url.fragment", ThreatIndicatorUrlFragment, + "threat.indicator.url.full", ThreatIndicatorUrlFull, + "threat.indicator.url.original", ThreatIndicatorUrlOriginal, + "threat.indicator.url.password", ThreatIndicatorUrlPassword, + "threat.indicator.url.path", ThreatIndicatorUrlPath, + "threat.indicator.url.port", ThreatIndicatorUrlPort, + "threat.indicator.url.query", ThreatIndicatorUrlQuery, + "threat.indicator.url.registered_domain", ThreatIndicatorUrlRegisteredDomain, + "threat.indicator.url.scheme", ThreatIndicatorUrlScheme, + "threat.indicator.url.subdomain", ThreatIndicatorUrlSubdomain, + "threat.indicator.url.top_level_domain", ThreatIndicatorUrlTopLevelDomain, + "threat.indicator.url.username", ThreatIndicatorUrlUsername, "tls.cipher", TlsCipher, "tls.client.certificate", TlsClientCertificate, "tls.client.hash.md5", TlsClientHashMd5, @@ -8873,17 +8873,17 @@ public static class LogTemplateProperties "tls.server.subject", TlsServerSubject, "tls.version", TlsVersion, "tls.version_protocol", TlsVersionProtocol, - "tls.x509.issuer.distinguished_name", TlsX509IssuerDistinguishedName, - "tls.x509.not_after", TlsX509NotAfter, - "tls.x509.not_before", TlsX509NotBefore, - "tls.x509.public_key_algorithm", TlsX509PublicKeyAlgorithm, - "tls.x509.public_key_curve", TlsX509PublicKeyCurve, - "tls.x509.public_key_exponent", TlsX509PublicKeyExponent, - "tls.x509.public_key_size", TlsX509PublicKeySize, - "tls.x509.serial_number", TlsX509SerialNumber, - "tls.x509.signature_algorithm", TlsX509SignatureAlgorithm, - "tls.x509.subject.distinguished_name", TlsX509SubjectDistinguishedName, - "tls.x509.version_number", TlsX509VersionNumber, + "tls.client.x509.issuer.distinguished_name", TlsClientX509IssuerDistinguishedName, + "tls.client.x509.not_after", TlsClientX509NotAfter, + "tls.client.x509.not_before", TlsClientX509NotBefore, + "tls.client.x509.public_key_algorithm", TlsClientX509PublicKeyAlgorithm, + "tls.client.x509.public_key_curve", TlsClientX509PublicKeyCurve, + "tls.client.x509.public_key_exponent", TlsClientX509PublicKeyExponent, + "tls.client.x509.public_key_size", TlsClientX509PublicKeySize, + "tls.client.x509.serial_number", TlsClientX509SerialNumber, + "tls.client.x509.signature_algorithm", TlsClientX509SignatureAlgorithm, + "tls.client.x509.subject.distinguished_name", TlsClientX509SubjectDistinguishedName, + "tls.client.x509.version_number", TlsClientX509VersionNumber, "url.domain", UrlDomain, "url.extension", UrlExtension, "url.fragment", UrlFragment, @@ -8913,12 +8913,12 @@ public static class LogTemplateProperties "user.risk.static_level", UserRiskStaticLevel, "user.risk.static_score", UserRiskStaticScore, "user.risk.static_score_norm", UserRiskStaticScoreNorm, - "user.user.domain", UserUserDomain, - "user.user.email", UserUserEmail, - "user.user.full_name", UserUserFullName, - "user.user.hash", UserUserHash, - "user.user.id", UserUserId, - "user.user.name", UserUserName, + "target.user.domain", TargetUserDomain, + "target.user.email", TargetUserEmail, + "target.user.full_name", TargetUserFullName, + "target.user.hash", TargetUserHash, + "target.user.id", TargetUserId, + "target.user.name", TargetUserName, "user_agent.device.name", UserAgentDeviceName, "user_agent.name", UserAgentName, "user_agent.original", UserAgentOriginal, diff --git a/src/Elastic.CommonSchema/PropDispatch.Generated.cs b/src/Elastic.CommonSchema/PropDispatch.Generated.cs index 0d7476e1..ee8966c4 100644 --- a/src/Elastic.CommonSchema/PropDispatch.Generated.cs +++ b/src/Elastic.CommonSchema/PropDispatch.Generated.cs @@ -763,18 +763,18 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ClientUserRiskStaticScore": case "client.user.risk.static_score_norm": case "ClientUserRiskStaticScoreNorm": - case "client.user.user.domain": - case "ClientUserUserDomain": - case "client.user.user.email": - case "ClientUserUserEmail": - case "client.user.user.full_name": - case "ClientUserUserFullName": - case "client.user.user.hash": - case "ClientUserUserHash": - case "client.user.user.id": - case "ClientUserUserId": - case "client.user.user.name": - case "ClientUserUserName": + case "client.user.target.user.domain": + case "ClientUserTargetUserDomain": + case "client.user.target.user.email": + case "ClientUserTargetUserEmail": + case "client.user.target.user.full_name": + case "ClientUserTargetUserFullName": + case "client.user.target.user.hash": + case "ClientUserTargetUserHash": + case "client.user.target.user.id": + case "ClientUserTargetUserId": + case "client.user.target.user.name": + case "ClientUserTargetUserName": return TrySetClient(document, path, value); case "cloud.account.id": case "CloudAccountId": @@ -798,28 +798,28 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "CloudRegion": case "cloud.service.name": case "CloudServiceName": - case "cloud.cloud.account.id": - case "CloudCloudAccountId": - case "cloud.cloud.account.name": - case "CloudCloudAccountName": - case "cloud.cloud.availability_zone": - case "CloudCloudAvailabilityZone": - case "cloud.cloud.instance.id": - case "CloudCloudInstanceId": - case "cloud.cloud.instance.name": - case "CloudCloudInstanceName": - case "cloud.cloud.machine.type": - case "CloudCloudMachineType": - case "cloud.cloud.project.id": - case "CloudCloudProjectId": - case "cloud.cloud.project.name": - case "CloudCloudProjectName": - case "cloud.cloud.provider": - case "CloudCloudProvider": - case "cloud.cloud.region": - case "CloudCloudRegion": - case "cloud.cloud.service.name": - case "CloudCloudServiceName": + case "origin.cloud.account.id": + case "OriginCloudAccountId": + case "origin.cloud.account.name": + case "OriginCloudAccountName": + case "origin.cloud.availability_zone": + case "OriginCloudAvailabilityZone": + case "origin.cloud.instance.id": + case "OriginCloudInstanceId": + case "origin.cloud.instance.name": + case "OriginCloudInstanceName": + case "origin.cloud.machine.type": + case "OriginCloudMachineType": + case "origin.cloud.project.id": + case "OriginCloudProjectId": + case "origin.cloud.project.name": + case "OriginCloudProjectName": + case "origin.cloud.provider": + case "OriginCloudProvider": + case "origin.cloud.region": + case "OriginCloudRegion": + case "origin.cloud.service.name": + case "OriginCloudServiceName": return TrySetCloud(document, path, value); case "code_signature.digest_algorithm": case "CodeSignatureDigestAlgorithm": @@ -948,18 +948,18 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "DestinationUserRiskStaticScore": case "destination.user.risk.static_score_norm": case "DestinationUserRiskStaticScoreNorm": - case "destination.user.user.domain": - case "DestinationUserUserDomain": - case "destination.user.user.email": - case "DestinationUserUserEmail": - case "destination.user.user.full_name": - case "DestinationUserUserFullName": - case "destination.user.user.hash": - case "DestinationUserUserHash": - case "destination.user.user.id": - case "DestinationUserUserId": - case "destination.user.user.name": - case "DestinationUserUserName": + case "destination.user.target.user.domain": + case "DestinationUserTargetUserDomain": + case "destination.user.target.user.email": + case "DestinationUserTargetUserEmail": + case "destination.user.target.user.full_name": + case "DestinationUserTargetUserFullName": + case "destination.user.target.user.hash": + case "DestinationUserTargetUserHash": + case "destination.user.target.user.id": + case "DestinationUserTargetUserId": + case "destination.user.target.user.name": + case "DestinationUserTargetUserName": return TrySetDestination(document, path, value); case "device.id": case "DeviceId": @@ -1922,96 +1922,96 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ProcessMachoImportsNamesVarEntropy": case "process.macho.symhash": case "ProcessMachoSymhash": - case "process.source.address": - case "ProcessSourceAddress": - case "process.source.bytes": - case "ProcessSourceBytes": - case "process.source.domain": - case "ProcessSourceDomain": - case "process.source.ip": - case "ProcessSourceIp": - case "process.source.mac": - case "ProcessSourceMac": - case "process.source.nat.ip": - case "ProcessSourceNatIp": - case "process.source.nat.port": - case "ProcessSourceNatPort": - case "process.source.packets": - case "ProcessSourcePackets": - case "process.source.port": - case "ProcessSourcePort": - case "process.source.registered_domain": - case "ProcessSourceRegisteredDomain": - case "process.source.subdomain": - case "ProcessSourceSubdomain": - case "process.source.top_level_domain": - case "ProcessSourceTopLevelDomain": - case "process.source.as.number": - case "ProcessSourceAsNumber": - case "process.source.as.organization.name": - case "ProcessSourceAsOrganizationName": - case "process.source.geo.city_name": - case "ProcessSourceGeoCityName": - case "process.source.geo.continent_code": - case "ProcessSourceGeoContinentCode": - case "process.source.geo.continent_name": - case "ProcessSourceGeoContinentName": - case "process.source.geo.country_iso_code": - case "ProcessSourceGeoCountryIsoCode": - case "process.source.geo.country_name": - case "ProcessSourceGeoCountryName": - case "process.source.geo.name": - case "ProcessSourceGeoName": - case "process.source.geo.postal_code": - case "ProcessSourceGeoPostalCode": - case "process.source.geo.region_iso_code": - case "ProcessSourceGeoRegionIsoCode": - case "process.source.geo.region_name": - case "ProcessSourceGeoRegionName": - case "process.source.geo.timezone": - case "ProcessSourceGeoTimezone": - case "process.source.user.domain": - case "ProcessSourceUserDomain": - case "process.source.user.email": - case "ProcessSourceUserEmail": - case "process.source.user.full_name": - case "ProcessSourceUserFullName": - case "process.source.user.hash": - case "ProcessSourceUserHash": - case "process.source.user.id": - case "ProcessSourceUserId": - case "process.source.user.name": - case "ProcessSourceUserName": - case "process.source.user.group.domain": - case "ProcessSourceUserGroupDomain": - case "process.source.user.group.id": - case "ProcessSourceUserGroupId": - case "process.source.user.group.name": - case "ProcessSourceUserGroupName": - case "process.source.user.risk.calculated_level": - case "ProcessSourceUserRiskCalculatedLevel": - case "process.source.user.risk.calculated_score": - case "ProcessSourceUserRiskCalculatedScore": - case "process.source.user.risk.calculated_score_norm": - case "ProcessSourceUserRiskCalculatedScoreNorm": - case "process.source.user.risk.static_level": - case "ProcessSourceUserRiskStaticLevel": - case "process.source.user.risk.static_score": - case "ProcessSourceUserRiskStaticScore": - case "process.source.user.risk.static_score_norm": - case "ProcessSourceUserRiskStaticScoreNorm": - case "process.source.user.user.domain": - case "ProcessSourceUserUserDomain": - case "process.source.user.user.email": - case "ProcessSourceUserUserEmail": - case "process.source.user.user.full_name": - case "ProcessSourceUserUserFullName": - case "process.source.user.user.hash": - case "ProcessSourceUserUserHash": - case "process.source.user.user.id": - case "ProcessSourceUserUserId": - case "process.source.user.user.name": - case "ProcessSourceUserUserName": + case "process.entry_meta.source.address": + case "ProcessEntryMetaSourceAddress": + case "process.entry_meta.source.bytes": + case "ProcessEntryMetaSourceBytes": + case "process.entry_meta.source.domain": + case "ProcessEntryMetaSourceDomain": + case "process.entry_meta.source.ip": + case "ProcessEntryMetaSourceIp": + case "process.entry_meta.source.mac": + case "ProcessEntryMetaSourceMac": + case "process.entry_meta.source.nat.ip": + case "ProcessEntryMetaSourceNatIp": + case "process.entry_meta.source.nat.port": + case "ProcessEntryMetaSourceNatPort": + case "process.entry_meta.source.packets": + case "ProcessEntryMetaSourcePackets": + case "process.entry_meta.source.port": + case "ProcessEntryMetaSourcePort": + case "process.entry_meta.source.registered_domain": + case "ProcessEntryMetaSourceRegisteredDomain": + case "process.entry_meta.source.subdomain": + case "ProcessEntryMetaSourceSubdomain": + case "process.entry_meta.source.top_level_domain": + case "ProcessEntryMetaSourceTopLevelDomain": + case "process.entry_meta.source.as.number": + case "ProcessEntryMetaSourceAsNumber": + case "process.entry_meta.source.as.organization.name": + case "ProcessEntryMetaSourceAsOrganizationName": + case "process.entry_meta.source.geo.city_name": + case "ProcessEntryMetaSourceGeoCityName": + case "process.entry_meta.source.geo.continent_code": + case "ProcessEntryMetaSourceGeoContinentCode": + case "process.entry_meta.source.geo.continent_name": + case "ProcessEntryMetaSourceGeoContinentName": + case "process.entry_meta.source.geo.country_iso_code": + case "ProcessEntryMetaSourceGeoCountryIsoCode": + case "process.entry_meta.source.geo.country_name": + case "ProcessEntryMetaSourceGeoCountryName": + case "process.entry_meta.source.geo.name": + case "ProcessEntryMetaSourceGeoName": + case "process.entry_meta.source.geo.postal_code": + case "ProcessEntryMetaSourceGeoPostalCode": + case "process.entry_meta.source.geo.region_iso_code": + case "ProcessEntryMetaSourceGeoRegionIsoCode": + case "process.entry_meta.source.geo.region_name": + case "ProcessEntryMetaSourceGeoRegionName": + case "process.entry_meta.source.geo.timezone": + case "ProcessEntryMetaSourceGeoTimezone": + case "process.entry_meta.source.user.domain": + case "ProcessEntryMetaSourceUserDomain": + case "process.entry_meta.source.user.email": + case "ProcessEntryMetaSourceUserEmail": + case "process.entry_meta.source.user.full_name": + case "ProcessEntryMetaSourceUserFullName": + case "process.entry_meta.source.user.hash": + case "ProcessEntryMetaSourceUserHash": + case "process.entry_meta.source.user.id": + case "ProcessEntryMetaSourceUserId": + case "process.entry_meta.source.user.name": + case "ProcessEntryMetaSourceUserName": + case "process.entry_meta.source.user.group.domain": + case "ProcessEntryMetaSourceUserGroupDomain": + case "process.entry_meta.source.user.group.id": + case "ProcessEntryMetaSourceUserGroupId": + case "process.entry_meta.source.user.group.name": + case "ProcessEntryMetaSourceUserGroupName": + case "process.entry_meta.source.user.risk.calculated_level": + case "ProcessEntryMetaSourceUserRiskCalculatedLevel": + case "process.entry_meta.source.user.risk.calculated_score": + case "ProcessEntryMetaSourceUserRiskCalculatedScore": + case "process.entry_meta.source.user.risk.calculated_score_norm": + case "ProcessEntryMetaSourceUserRiskCalculatedScoreNorm": + case "process.entry_meta.source.user.risk.static_level": + case "ProcessEntryMetaSourceUserRiskStaticLevel": + case "process.entry_meta.source.user.risk.static_score": + case "ProcessEntryMetaSourceUserRiskStaticScore": + case "process.entry_meta.source.user.risk.static_score_norm": + case "ProcessEntryMetaSourceUserRiskStaticScoreNorm": + case "process.entry_meta.source.user.target.user.domain": + case "ProcessEntryMetaSourceUserTargetUserDomain": + case "process.entry_meta.source.user.target.user.email": + case "ProcessEntryMetaSourceUserTargetUserEmail": + case "process.entry_meta.source.user.target.user.full_name": + case "ProcessEntryMetaSourceUserTargetUserFullName": + case "process.entry_meta.source.user.target.user.hash": + case "ProcessEntryMetaSourceUserTargetUserHash": + case "process.entry_meta.source.user.target.user.id": + case "ProcessEntryMetaSourceUserTargetUserId": + case "process.entry_meta.source.user.target.user.name": + case "ProcessEntryMetaSourceUserTargetUserName": case "process.user.domain": case "ProcessUserDomain": case "process.user.email": @@ -2042,222 +2042,222 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ProcessUserRiskStaticScore": case "process.user.risk.static_score_norm": case "ProcessUserRiskStaticScoreNorm": - case "process.user.user.domain": - case "ProcessUserUserDomain": - case "process.user.user.email": - case "ProcessUserUserEmail": - case "process.user.user.full_name": - case "ProcessUserUserFullName": - case "process.user.user.hash": - case "ProcessUserUserHash": - case "process.user.user.id": - case "ProcessUserUserId": - case "process.user.user.name": - case "ProcessUserUserName": - case "process.process.args_count": - case "ProcessProcessArgsCount": - case "process.process.command_line": - case "ProcessProcessCommandLine": - case "process.process.end": - case "ProcessProcessEnd": - case "process.process.entity_id": - case "ProcessProcessEntityId": - case "process.process.executable": - case "ProcessProcessExecutable": - case "process.process.exit_code": - case "ProcessProcessExitCode": - case "process.process.interactive": - case "ProcessProcessInteractive": - case "process.process.name": - case "ProcessProcessName": - case "process.process.pgid": - case "ProcessProcessPgid": - case "process.process.pid": - case "ProcessProcessPid": - case "process.process.start": - case "ProcessProcessStart": - case "process.process.thread.id": - case "ProcessProcessThreadId": - case "process.process.thread.name": - case "ProcessProcessThreadName": - case "process.process.title": - case "ProcessProcessTitle": - case "process.process.uptime": - case "ProcessProcessUptime": - case "process.process.vpid": - case "ProcessProcessVpid": - case "process.process.working_directory": - case "ProcessProcessWorkingDirectory": - case "process.process.parent.process.args_count": - case "ProcessProcessParentProcessArgsCount": - case "process.process.parent.process.command_line": - case "ProcessProcessParentProcessCommandLine": - case "process.process.parent.process.end": - case "ProcessProcessParentProcessEnd": - case "process.process.parent.process.entity_id": - case "ProcessProcessParentProcessEntityId": - case "process.process.parent.process.executable": - case "ProcessProcessParentProcessExecutable": - case "process.process.parent.process.exit_code": - case "ProcessProcessParentProcessExitCode": - case "process.process.parent.process.interactive": - case "ProcessProcessParentProcessInteractive": - case "process.process.parent.process.name": - case "ProcessProcessParentProcessName": - case "process.process.parent.process.pgid": - case "ProcessProcessParentProcessPgid": - case "process.process.parent.process.pid": - case "ProcessProcessParentProcessPid": - case "process.process.parent.process.start": - case "ProcessProcessParentProcessStart": - case "process.process.parent.process.thread.id": - case "ProcessProcessParentProcessThreadId": - case "process.process.parent.process.thread.name": - case "ProcessProcessParentProcessThreadName": - case "process.process.parent.process.title": - case "ProcessProcessParentProcessTitle": - case "process.process.parent.process.uptime": - case "ProcessProcessParentProcessUptime": - case "process.process.parent.process.vpid": - case "ProcessProcessParentProcessVpid": - case "process.process.parent.process.working_directory": - case "ProcessProcessParentProcessWorkingDirectory": - case "process.process.entry_leader.process.args_count": - case "ProcessProcessEntryLeaderProcessArgsCount": - case "process.process.entry_leader.process.command_line": - case "ProcessProcessEntryLeaderProcessCommandLine": - case "process.process.entry_leader.process.end": - case "ProcessProcessEntryLeaderProcessEnd": - case "process.process.entry_leader.process.entity_id": - case "ProcessProcessEntryLeaderProcessEntityId": - case "process.process.entry_leader.process.executable": - case "ProcessProcessEntryLeaderProcessExecutable": - case "process.process.entry_leader.process.exit_code": - case "ProcessProcessEntryLeaderProcessExitCode": - case "process.process.entry_leader.process.interactive": - case "ProcessProcessEntryLeaderProcessInteractive": - case "process.process.entry_leader.process.name": - case "ProcessProcessEntryLeaderProcessName": - case "process.process.entry_leader.process.pgid": - case "ProcessProcessEntryLeaderProcessPgid": - case "process.process.entry_leader.process.pid": - case "ProcessProcessEntryLeaderProcessPid": - case "process.process.entry_leader.process.start": - case "ProcessProcessEntryLeaderProcessStart": - case "process.process.entry_leader.process.thread.id": - case "ProcessProcessEntryLeaderProcessThreadId": - case "process.process.entry_leader.process.thread.name": - case "ProcessProcessEntryLeaderProcessThreadName": - case "process.process.entry_leader.process.title": - case "ProcessProcessEntryLeaderProcessTitle": - case "process.process.entry_leader.process.uptime": - case "ProcessProcessEntryLeaderProcessUptime": - case "process.process.entry_leader.process.vpid": - case "ProcessProcessEntryLeaderProcessVpid": - case "process.process.entry_leader.process.working_directory": - case "ProcessProcessEntryLeaderProcessWorkingDirectory": - case "process.process.entry_leader.process.entry_leader.parent.process.args_count": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount": - case "process.process.entry_leader.process.entry_leader.parent.process.command_line": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine": - case "process.process.entry_leader.process.entry_leader.parent.process.end": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd": - case "process.process.entry_leader.process.entry_leader.parent.process.entity_id": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId": - case "process.process.entry_leader.process.entry_leader.parent.process.executable": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable": - case "process.process.entry_leader.process.entry_leader.parent.process.exit_code": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode": - case "process.process.entry_leader.process.entry_leader.parent.process.interactive": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive": - case "process.process.entry_leader.process.entry_leader.parent.process.name": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName": - case "process.process.entry_leader.process.entry_leader.parent.process.pgid": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid": - case "process.process.entry_leader.process.entry_leader.parent.process.pid": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid": - case "process.process.entry_leader.process.entry_leader.parent.process.start": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart": - case "process.process.entry_leader.process.entry_leader.parent.process.thread.id": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId": - case "process.process.entry_leader.process.entry_leader.parent.process.thread.name": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName": - case "process.process.entry_leader.process.entry_leader.parent.process.title": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle": - case "process.process.entry_leader.process.entry_leader.parent.process.uptime": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime": - case "process.process.entry_leader.process.entry_leader.parent.process.vpid": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid": - case "process.process.entry_leader.process.entry_leader.parent.process.working_directory": - case "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory": - case "process.process.session_leader.process.args_count": - case "ProcessProcessSessionLeaderProcessArgsCount": - case "process.process.session_leader.process.command_line": - case "ProcessProcessSessionLeaderProcessCommandLine": - case "process.process.session_leader.process.end": - case "ProcessProcessSessionLeaderProcessEnd": - case "process.process.session_leader.process.entity_id": - case "ProcessProcessSessionLeaderProcessEntityId": - case "process.process.session_leader.process.executable": - case "ProcessProcessSessionLeaderProcessExecutable": - case "process.process.session_leader.process.exit_code": - case "ProcessProcessSessionLeaderProcessExitCode": - case "process.process.session_leader.process.interactive": - case "ProcessProcessSessionLeaderProcessInteractive": - case "process.process.session_leader.process.name": - case "ProcessProcessSessionLeaderProcessName": - case "process.process.session_leader.process.pgid": - case "ProcessProcessSessionLeaderProcessPgid": - case "process.process.session_leader.process.pid": - case "ProcessProcessSessionLeaderProcessPid": - case "process.process.session_leader.process.start": - case "ProcessProcessSessionLeaderProcessStart": - case "process.process.session_leader.process.thread.id": - case "ProcessProcessSessionLeaderProcessThreadId": - case "process.process.session_leader.process.thread.name": - case "ProcessProcessSessionLeaderProcessThreadName": - case "process.process.session_leader.process.title": - case "ProcessProcessSessionLeaderProcessTitle": - case "process.process.session_leader.process.uptime": - case "ProcessProcessSessionLeaderProcessUptime": - case "process.process.session_leader.process.vpid": - case "ProcessProcessSessionLeaderProcessVpid": - case "process.process.session_leader.process.working_directory": - case "ProcessProcessSessionLeaderProcessWorkingDirectory": - case "process.process.session_leader.process.session_leader.parent.process.args_count": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount": - case "process.process.session_leader.process.session_leader.parent.process.command_line": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine": - case "process.process.session_leader.process.session_leader.parent.process.end": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd": - case "process.process.session_leader.process.session_leader.parent.process.entity_id": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId": - case "process.process.session_leader.process.session_leader.parent.process.executable": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable": - case "process.process.session_leader.process.session_leader.parent.process.exit_code": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode": - case "process.process.session_leader.process.session_leader.parent.process.interactive": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive": - case "process.process.session_leader.process.session_leader.parent.process.name": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName": - case "process.process.session_leader.process.session_leader.parent.process.pgid": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid": - case "process.process.session_leader.process.session_leader.parent.process.pid": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid": - case "process.process.session_leader.process.session_leader.parent.process.start": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart": - case "process.process.session_leader.process.session_leader.parent.process.thread.id": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId": - case "process.process.session_leader.process.session_leader.parent.process.thread.name": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName": - case "process.process.session_leader.process.session_leader.parent.process.title": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle": - case "process.process.session_leader.process.session_leader.parent.process.uptime": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime": - case "process.process.session_leader.process.session_leader.parent.process.vpid": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid": - case "process.process.session_leader.process.session_leader.parent.process.working_directory": - case "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory": + case "process.user.target.user.domain": + case "ProcessUserTargetUserDomain": + case "process.user.target.user.email": + case "ProcessUserTargetUserEmail": + case "process.user.target.user.full_name": + case "ProcessUserTargetUserFullName": + case "process.user.target.user.hash": + case "ProcessUserTargetUserHash": + case "process.user.target.user.id": + case "ProcessUserTargetUserId": + case "process.user.target.user.name": + case "ProcessUserTargetUserName": + case "parent.process.args_count": + case "ParentProcessArgsCount": + case "parent.process.command_line": + case "ParentProcessCommandLine": + case "parent.process.end": + case "ParentProcessEnd": + case "parent.process.entity_id": + case "ParentProcessEntityId": + case "parent.process.executable": + case "ParentProcessExecutable": + case "parent.process.exit_code": + case "ParentProcessExitCode": + case "parent.process.interactive": + case "ParentProcessInteractive": + case "parent.process.name": + case "ParentProcessName": + case "parent.process.pgid": + case "ParentProcessPgid": + case "parent.process.pid": + case "ParentProcessPid": + case "parent.process.start": + case "ParentProcessStart": + case "parent.process.thread.id": + case "ParentProcessThreadId": + case "parent.process.thread.name": + case "ParentProcessThreadName": + case "parent.process.title": + case "ParentProcessTitle": + case "parent.process.uptime": + case "ParentProcessUptime": + case "parent.process.vpid": + case "ParentProcessVpid": + case "parent.process.working_directory": + case "ParentProcessWorkingDirectory": + case "process.parent.group_leader.process.args_count": + case "ProcessParentGroupLeaderProcessArgsCount": + case "process.parent.group_leader.process.command_line": + case "ProcessParentGroupLeaderProcessCommandLine": + case "process.parent.group_leader.process.end": + case "ProcessParentGroupLeaderProcessEnd": + case "process.parent.group_leader.process.entity_id": + case "ProcessParentGroupLeaderProcessEntityId": + case "process.parent.group_leader.process.executable": + case "ProcessParentGroupLeaderProcessExecutable": + case "process.parent.group_leader.process.exit_code": + case "ProcessParentGroupLeaderProcessExitCode": + case "process.parent.group_leader.process.interactive": + case "ProcessParentGroupLeaderProcessInteractive": + case "process.parent.group_leader.process.name": + case "ProcessParentGroupLeaderProcessName": + case "process.parent.group_leader.process.pgid": + case "ProcessParentGroupLeaderProcessPgid": + case "process.parent.group_leader.process.pid": + case "ProcessParentGroupLeaderProcessPid": + case "process.parent.group_leader.process.start": + case "ProcessParentGroupLeaderProcessStart": + case "process.parent.group_leader.process.thread.id": + case "ProcessParentGroupLeaderProcessThreadId": + case "process.parent.group_leader.process.thread.name": + case "ProcessParentGroupLeaderProcessThreadName": + case "process.parent.group_leader.process.title": + case "ProcessParentGroupLeaderProcessTitle": + case "process.parent.group_leader.process.uptime": + case "ProcessParentGroupLeaderProcessUptime": + case "process.parent.group_leader.process.vpid": + case "ProcessParentGroupLeaderProcessVpid": + case "process.parent.group_leader.process.working_directory": + case "ProcessParentGroupLeaderProcessWorkingDirectory": + case "process.entry_leader.parent.process.args_count": + case "ProcessEntryLeaderParentProcessArgsCount": + case "process.entry_leader.parent.process.command_line": + case "ProcessEntryLeaderParentProcessCommandLine": + case "process.entry_leader.parent.process.end": + case "ProcessEntryLeaderParentProcessEnd": + case "process.entry_leader.parent.process.entity_id": + case "ProcessEntryLeaderParentProcessEntityId": + case "process.entry_leader.parent.process.executable": + case "ProcessEntryLeaderParentProcessExecutable": + case "process.entry_leader.parent.process.exit_code": + case "ProcessEntryLeaderParentProcessExitCode": + case "process.entry_leader.parent.process.interactive": + case "ProcessEntryLeaderParentProcessInteractive": + case "process.entry_leader.parent.process.name": + case "ProcessEntryLeaderParentProcessName": + case "process.entry_leader.parent.process.pgid": + case "ProcessEntryLeaderParentProcessPgid": + case "process.entry_leader.parent.process.pid": + case "ProcessEntryLeaderParentProcessPid": + case "process.entry_leader.parent.process.start": + case "ProcessEntryLeaderParentProcessStart": + case "process.entry_leader.parent.process.thread.id": + case "ProcessEntryLeaderParentProcessThreadId": + case "process.entry_leader.parent.process.thread.name": + case "ProcessEntryLeaderParentProcessThreadName": + case "process.entry_leader.parent.process.title": + case "ProcessEntryLeaderParentProcessTitle": + case "process.entry_leader.parent.process.uptime": + case "ProcessEntryLeaderParentProcessUptime": + case "process.entry_leader.parent.process.vpid": + case "ProcessEntryLeaderParentProcessVpid": + case "process.entry_leader.parent.process.working_directory": + case "ProcessEntryLeaderParentProcessWorkingDirectory": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.args_count": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.command_line": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.end": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.entity_id": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.executable": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.exit_code": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.interactive": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.name": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.pgid": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.pid": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.start": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.id": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.name": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.title": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.uptime": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.vpid": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid": + case "entry_leader.process.parent.entry_leader.parent.session_leader.process.working_directory": + case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory": + case "process.session_leader.parent.process.args_count": + case "ProcessSessionLeaderParentProcessArgsCount": + case "process.session_leader.parent.process.command_line": + case "ProcessSessionLeaderParentProcessCommandLine": + case "process.session_leader.parent.process.end": + case "ProcessSessionLeaderParentProcessEnd": + case "process.session_leader.parent.process.entity_id": + case "ProcessSessionLeaderParentProcessEntityId": + case "process.session_leader.parent.process.executable": + case "ProcessSessionLeaderParentProcessExecutable": + case "process.session_leader.parent.process.exit_code": + case "ProcessSessionLeaderParentProcessExitCode": + case "process.session_leader.parent.process.interactive": + case "ProcessSessionLeaderParentProcessInteractive": + case "process.session_leader.parent.process.name": + case "ProcessSessionLeaderParentProcessName": + case "process.session_leader.parent.process.pgid": + case "ProcessSessionLeaderParentProcessPgid": + case "process.session_leader.parent.process.pid": + case "ProcessSessionLeaderParentProcessPid": + case "process.session_leader.parent.process.start": + case "ProcessSessionLeaderParentProcessStart": + case "process.session_leader.parent.process.thread.id": + case "ProcessSessionLeaderParentProcessThreadId": + case "process.session_leader.parent.process.thread.name": + case "ProcessSessionLeaderParentProcessThreadName": + case "process.session_leader.parent.process.title": + case "ProcessSessionLeaderParentProcessTitle": + case "process.session_leader.parent.process.uptime": + case "ProcessSessionLeaderParentProcessUptime": + case "process.session_leader.parent.process.vpid": + case "ProcessSessionLeaderParentProcessVpid": + case "process.session_leader.parent.process.working_directory": + case "ProcessSessionLeaderParentProcessWorkingDirectory": + case "session_leader.process.parent.session_leader.parent.session_leader.process.args_count": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount": + case "session_leader.process.parent.session_leader.parent.session_leader.process.command_line": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine": + case "session_leader.process.parent.session_leader.parent.session_leader.process.end": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd": + case "session_leader.process.parent.session_leader.parent.session_leader.process.entity_id": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId": + case "session_leader.process.parent.session_leader.parent.session_leader.process.executable": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable": + case "session_leader.process.parent.session_leader.parent.session_leader.process.exit_code": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode": + case "session_leader.process.parent.session_leader.parent.session_leader.process.interactive": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive": + case "session_leader.process.parent.session_leader.parent.session_leader.process.name": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName": + case "session_leader.process.parent.session_leader.parent.session_leader.process.pgid": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid": + case "session_leader.process.parent.session_leader.parent.session_leader.process.pid": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid": + case "session_leader.process.parent.session_leader.parent.session_leader.process.start": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart": + case "session_leader.process.parent.session_leader.parent.session_leader.process.thread.id": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId": + case "session_leader.process.parent.session_leader.parent.session_leader.process.thread.name": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName": + case "session_leader.process.parent.session_leader.parent.session_leader.process.title": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle": + case "session_leader.process.parent.session_leader.parent.session_leader.process.uptime": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime": + case "session_leader.process.parent.session_leader.parent.session_leader.process.vpid": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid": + case "session_leader.process.parent.session_leader.parent.session_leader.process.working_directory": + case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory": return TrySetProcess(document, path, value); case "registry.data.bytes": case "RegistryDataBytes": @@ -2382,18 +2382,18 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ServerUserRiskStaticScore": case "server.user.risk.static_score_norm": case "ServerUserRiskStaticScoreNorm": - case "server.user.user.domain": - case "ServerUserUserDomain": - case "server.user.user.email": - case "ServerUserUserEmail": - case "server.user.user.full_name": - case "ServerUserUserFullName": - case "server.user.user.hash": - case "ServerUserUserHash": - case "server.user.user.id": - case "ServerUserUserId": - case "server.user.user.name": - case "ServerUserUserName": + case "server.user.target.user.domain": + case "ServerUserTargetUserDomain": + case "server.user.target.user.email": + case "ServerUserTargetUserEmail": + case "server.user.target.user.full_name": + case "ServerUserTargetUserFullName": + case "server.user.target.user.hash": + case "ServerUserTargetUserHash": + case "server.user.target.user.id": + case "ServerUserTargetUserId": + case "server.user.target.user.name": + case "ServerUserTargetUserName": return TrySetServer(document, path, value); case "service.address": case "ServiceAddress": @@ -2415,26 +2415,26 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ServiceType": case "service.version": case "ServiceVersion": - case "service.service.address": - case "ServiceServiceAddress": - case "service.service.environment": - case "ServiceServiceEnvironment": - case "service.service.ephemeral_id": - case "ServiceServiceEphemeralId": - case "service.service.id": - case "ServiceServiceId": - case "service.service.name": - case "ServiceServiceName": - case "service.service.node.name": - case "ServiceServiceNodeName": - case "service.service.node.role": - case "ServiceServiceNodeRole": - case "service.service.state": - case "ServiceServiceState": - case "service.service.type": - case "ServiceServiceType": - case "service.service.version": - case "ServiceServiceVersion": + case "origin.service.address": + case "OriginServiceAddress": + case "origin.service.environment": + case "OriginServiceEnvironment": + case "origin.service.ephemeral_id": + case "OriginServiceEphemeralId": + case "origin.service.id": + case "OriginServiceId": + case "origin.service.name": + case "OriginServiceName": + case "origin.service.node.name": + case "OriginServiceNodeName": + case "origin.service.node.role": + case "OriginServiceNodeRole": + case "origin.service.state": + case "OriginServiceState": + case "origin.service.type": + case "OriginServiceType": + case "origin.service.version": + case "OriginServiceVersion": return TrySetService(document, path, value); case "source.address": case "SourceAddress": @@ -2514,18 +2514,18 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "SourceUserRiskStaticScore": case "source.user.risk.static_score_norm": case "SourceUserRiskStaticScoreNorm": - case "source.user.user.domain": - case "SourceUserUserDomain": - case "source.user.user.email": - case "SourceUserUserEmail": - case "source.user.user.full_name": - case "SourceUserUserFullName": - case "source.user.user.hash": - case "SourceUserUserHash": - case "source.user.user.id": - case "SourceUserUserId": - case "source.user.user.name": - case "SourceUserUserName": + case "source.user.target.user.domain": + case "SourceUserTargetUserDomain": + case "source.user.target.user.email": + case "SourceUserTargetUserEmail": + case "source.user.target.user.full_name": + case "SourceUserTargetUserFullName": + case "source.user.target.user.hash": + case "SourceUserTargetUserHash": + case "source.user.target.user.id": + case "SourceUserTargetUserId": + case "source.user.target.user.name": + case "SourceUserTargetUserName": return TrySetSource(document, path, value); case "threat.feed.dashboard_id": case "ThreatFeedDashboardId": @@ -2583,280 +2583,280 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ThreatSoftwareReference": case "threat.software.type": case "ThreatSoftwareType": - case "threat.x509.issuer.distinguished_name": - case "ThreatX509IssuerDistinguishedName": - case "threat.x509.not_after": - case "ThreatX509NotAfter": - case "threat.x509.not_before": - case "ThreatX509NotBefore": - case "threat.x509.public_key_algorithm": - case "ThreatX509PublicKeyAlgorithm": - case "threat.x509.public_key_curve": - case "ThreatX509PublicKeyCurve": - case "threat.x509.public_key_exponent": - case "ThreatX509PublicKeyExponent": - case "threat.x509.public_key_size": - case "ThreatX509PublicKeySize": - case "threat.x509.serial_number": - case "ThreatX509SerialNumber": - case "threat.x509.signature_algorithm": - case "ThreatX509SignatureAlgorithm": - case "threat.x509.subject.distinguished_name": - case "ThreatX509SubjectDistinguishedName": - case "threat.x509.version_number": - case "ThreatX509VersionNumber": - case "threat.as.number": - case "ThreatAsNumber": - case "threat.as.organization.name": - case "ThreatAsOrganizationName": - case "threat.file.accessed": - case "ThreatFileAccessed": - case "threat.file.created": - case "ThreatFileCreated": - case "threat.file.ctime": - case "ThreatFileCtime": - case "threat.file.device": - case "ThreatFileDevice": - case "threat.file.directory": - case "ThreatFileDirectory": - case "threat.file.drive_letter": - case "ThreatFileDriveLetter": - case "threat.file.extension": - case "ThreatFileExtension": - case "threat.file.fork_name": - case "ThreatFileForkName": - case "threat.file.gid": - case "ThreatFileGid": - case "threat.file.group": - case "ThreatFileGroup": - case "threat.file.inode": - case "ThreatFileInode": - case "threat.file.mime_type": - case "ThreatFileMimeType": - case "threat.file.mode": - case "ThreatFileMode": - case "threat.file.mtime": - case "ThreatFileMtime": - case "threat.file.name": - case "ThreatFileName": - case "threat.file.owner": - case "ThreatFileOwner": - case "threat.file.path": - case "ThreatFilePath": - case "threat.file.size": - case "ThreatFileSize": - case "threat.file.target_path": - case "ThreatFileTargetPath": - case "threat.file.type": - case "ThreatFileType": - case "threat.file.uid": - case "ThreatFileUid": - case "threat.file.hash.md5": - case "ThreatFileHashMd5": - case "threat.file.hash.sha1": - case "ThreatFileHashSha1": - case "threat.file.hash.sha256": - case "ThreatFileHashSha256": - case "threat.file.hash.sha384": - case "ThreatFileHashSha384": - case "threat.file.hash.sha512": - case "ThreatFileHashSha512": - case "threat.file.hash.ssdeep": - case "ThreatFileHashSsdeep": - case "threat.file.hash.tlsh": - case "ThreatFileHashTlsh": - case "threat.file.pe.architecture": - case "ThreatFilePeArchitecture": - case "threat.file.pe.company": - case "ThreatFilePeCompany": - case "threat.file.pe.description": - case "ThreatFilePeDescription": - case "threat.file.pe.file_version": - case "ThreatFilePeFileVersion": - case "threat.file.pe.go_import_hash": - case "ThreatFilePeGoImportHash": - case "threat.file.pe.go_imports": - case "ThreatFilePeGoImports": - case "threat.file.pe.go_imports_names_entropy": - case "ThreatFilePeGoImportsNamesEntropy": - case "threat.file.pe.go_imports_names_var_entropy": - case "ThreatFilePeGoImportsNamesVarEntropy": - case "threat.file.pe.go_stripped": - case "ThreatFilePeGoStripped": - case "threat.file.pe.imphash": - case "ThreatFilePeImphash": - case "threat.file.pe.import_hash": - case "ThreatFilePeImportHash": - case "threat.file.pe.imports_names_entropy": - case "ThreatFilePeImportsNamesEntropy": - case "threat.file.pe.imports_names_var_entropy": - case "ThreatFilePeImportsNamesVarEntropy": - case "threat.file.pe.original_file_name": - case "ThreatFilePeOriginalFileName": - case "threat.file.pe.pehash": - case "ThreatFilePePehash": - case "threat.file.pe.product": - case "ThreatFilePeProduct": - case "threat.file.x509.issuer.distinguished_name": - case "ThreatFileX509IssuerDistinguishedName": - case "threat.file.x509.not_after": - case "ThreatFileX509NotAfter": - case "threat.file.x509.not_before": - case "ThreatFileX509NotBefore": - case "threat.file.x509.public_key_algorithm": - case "ThreatFileX509PublicKeyAlgorithm": - case "threat.file.x509.public_key_curve": - case "ThreatFileX509PublicKeyCurve": - case "threat.file.x509.public_key_exponent": - case "ThreatFileX509PublicKeyExponent": - case "threat.file.x509.public_key_size": - case "ThreatFileX509PublicKeySize": - case "threat.file.x509.serial_number": - case "ThreatFileX509SerialNumber": - case "threat.file.x509.signature_algorithm": - case "ThreatFileX509SignatureAlgorithm": - case "threat.file.x509.subject.distinguished_name": - case "ThreatFileX509SubjectDistinguishedName": - case "threat.file.x509.version_number": - case "ThreatFileX509VersionNumber": - case "threat.file.code_signature.digest_algorithm": - case "ThreatFileCodeSignatureDigestAlgorithm": - case "threat.file.code_signature.exists": - case "ThreatFileCodeSignatureExists": - case "threat.file.code_signature.signing_id": - case "ThreatFileCodeSignatureSigningId": - case "threat.file.code_signature.status": - case "ThreatFileCodeSignatureStatus": - case "threat.file.code_signature.subject_name": - case "ThreatFileCodeSignatureSubjectName": - case "threat.file.code_signature.team_id": - case "ThreatFileCodeSignatureTeamId": - case "threat.file.code_signature.timestamp": - case "ThreatFileCodeSignatureTimestamp": - case "threat.file.code_signature.trusted": - case "ThreatFileCodeSignatureTrusted": - case "threat.file.code_signature.valid": - case "ThreatFileCodeSignatureValid": - case "threat.file.elf.architecture": - case "ThreatFileElfArchitecture": - case "threat.file.elf.byte_order": - case "ThreatFileElfByteOrder": - case "threat.file.elf.cpu_type": - case "ThreatFileElfCpuType": - case "threat.file.elf.creation_date": - case "ThreatFileElfCreationDate": - case "threat.file.elf.go_import_hash": - case "ThreatFileElfGoImportHash": - case "threat.file.elf.go_imports": - case "ThreatFileElfGoImports": - case "threat.file.elf.go_imports_names_entropy": - case "ThreatFileElfGoImportsNamesEntropy": - case "threat.file.elf.go_imports_names_var_entropy": - case "ThreatFileElfGoImportsNamesVarEntropy": - case "threat.file.elf.go_stripped": - case "ThreatFileElfGoStripped": - case "threat.file.elf.header.abi_version": - case "ThreatFileElfHeaderAbiVersion": - case "threat.file.elf.header.class": - case "ThreatFileElfHeaderClass": - case "threat.file.elf.header.data": - case "ThreatFileElfHeaderData": - case "threat.file.elf.header.entrypoint": - case "ThreatFileElfHeaderEntrypoint": - case "threat.file.elf.header.object_version": - case "ThreatFileElfHeaderObjectVersion": - case "threat.file.elf.header.os_abi": - case "ThreatFileElfHeaderOsAbi": - case "threat.file.elf.header.type": - case "ThreatFileElfHeaderType": - case "threat.file.elf.header.version": - case "ThreatFileElfHeaderVersion": - case "threat.file.elf.import_hash": - case "ThreatFileElfImportHash": - case "threat.file.elf.imports_names_entropy": - case "ThreatFileElfImportsNamesEntropy": - case "threat.file.elf.imports_names_var_entropy": - case "ThreatFileElfImportsNamesVarEntropy": - case "threat.file.elf.telfhash": - case "ThreatFileElfTelfhash": - case "threat.file.macho.go_import_hash": - case "ThreatFileMachoGoImportHash": - case "threat.file.macho.go_imports": - case "ThreatFileMachoGoImports": - case "threat.file.macho.go_imports_names_entropy": - case "ThreatFileMachoGoImportsNamesEntropy": - case "threat.file.macho.go_imports_names_var_entropy": - case "ThreatFileMachoGoImportsNamesVarEntropy": - case "threat.file.macho.go_stripped": - case "ThreatFileMachoGoStripped": - case "threat.file.macho.import_hash": - case "ThreatFileMachoImportHash": - case "threat.file.macho.imports_names_entropy": - case "ThreatFileMachoImportsNamesEntropy": - case "threat.file.macho.imports_names_var_entropy": - case "ThreatFileMachoImportsNamesVarEntropy": - case "threat.file.macho.symhash": - case "ThreatFileMachoSymhash": - case "threat.geo.city_name": - case "ThreatGeoCityName": - case "threat.geo.continent_code": - case "ThreatGeoContinentCode": - case "threat.geo.continent_name": - case "ThreatGeoContinentName": - case "threat.geo.country_iso_code": - case "ThreatGeoCountryIsoCode": - case "threat.geo.country_name": - case "ThreatGeoCountryName": - case "threat.geo.name": - case "ThreatGeoName": - case "threat.geo.postal_code": - case "ThreatGeoPostalCode": - case "threat.geo.region_iso_code": - case "ThreatGeoRegionIsoCode": - case "threat.geo.region_name": - case "ThreatGeoRegionName": - case "threat.geo.timezone": - case "ThreatGeoTimezone": - case "threat.registry.data.bytes": - case "ThreatRegistryDataBytes": - case "threat.registry.data.type": - case "ThreatRegistryDataType": - case "threat.registry.hive": - case "ThreatRegistryHive": - case "threat.registry.key": - case "ThreatRegistryKey": - case "threat.registry.path": - case "ThreatRegistryPath": - case "threat.registry.value": - case "ThreatRegistryValue": - case "threat.url.domain": - case "ThreatUrlDomain": - case "threat.url.extension": - case "ThreatUrlExtension": - case "threat.url.fragment": - case "ThreatUrlFragment": - case "threat.url.full": - case "ThreatUrlFull": - case "threat.url.original": - case "ThreatUrlOriginal": - case "threat.url.password": - case "ThreatUrlPassword": - case "threat.url.path": - case "ThreatUrlPath": - case "threat.url.port": - case "ThreatUrlPort": - case "threat.url.query": - case "ThreatUrlQuery": - case "threat.url.registered_domain": - case "ThreatUrlRegisteredDomain": - case "threat.url.scheme": - case "ThreatUrlScheme": - case "threat.url.subdomain": - case "ThreatUrlSubdomain": - case "threat.url.top_level_domain": - case "ThreatUrlTopLevelDomain": - case "threat.url.username": - case "ThreatUrlUsername": + case "threat.indicator.x509.issuer.distinguished_name": + case "ThreatIndicatorX509IssuerDistinguishedName": + case "threat.indicator.x509.not_after": + case "ThreatIndicatorX509NotAfter": + case "threat.indicator.x509.not_before": + case "ThreatIndicatorX509NotBefore": + case "threat.indicator.x509.public_key_algorithm": + case "ThreatIndicatorX509PublicKeyAlgorithm": + case "threat.indicator.x509.public_key_curve": + case "ThreatIndicatorX509PublicKeyCurve": + case "threat.indicator.x509.public_key_exponent": + case "ThreatIndicatorX509PublicKeyExponent": + case "threat.indicator.x509.public_key_size": + case "ThreatIndicatorX509PublicKeySize": + case "threat.indicator.x509.serial_number": + case "ThreatIndicatorX509SerialNumber": + case "threat.indicator.x509.signature_algorithm": + case "ThreatIndicatorX509SignatureAlgorithm": + case "threat.indicator.x509.subject.distinguished_name": + case "ThreatIndicatorX509SubjectDistinguishedName": + case "threat.indicator.x509.version_number": + case "ThreatIndicatorX509VersionNumber": + case "threat.indicator.as.number": + case "ThreatIndicatorAsNumber": + case "threat.indicator.as.organization.name": + case "ThreatIndicatorAsOrganizationName": + case "threat.indicator.file.accessed": + case "ThreatIndicatorFileAccessed": + case "threat.indicator.file.created": + case "ThreatIndicatorFileCreated": + case "threat.indicator.file.ctime": + case "ThreatIndicatorFileCtime": + case "threat.indicator.file.device": + case "ThreatIndicatorFileDevice": + case "threat.indicator.file.directory": + case "ThreatIndicatorFileDirectory": + case "threat.indicator.file.drive_letter": + case "ThreatIndicatorFileDriveLetter": + case "threat.indicator.file.extension": + case "ThreatIndicatorFileExtension": + case "threat.indicator.file.fork_name": + case "ThreatIndicatorFileForkName": + case "threat.indicator.file.gid": + case "ThreatIndicatorFileGid": + case "threat.indicator.file.group": + case "ThreatIndicatorFileGroup": + case "threat.indicator.file.inode": + case "ThreatIndicatorFileInode": + case "threat.indicator.file.mime_type": + case "ThreatIndicatorFileMimeType": + case "threat.indicator.file.mode": + case "ThreatIndicatorFileMode": + case "threat.indicator.file.mtime": + case "ThreatIndicatorFileMtime": + case "threat.indicator.file.name": + case "ThreatIndicatorFileName": + case "threat.indicator.file.owner": + case "ThreatIndicatorFileOwner": + case "threat.indicator.file.path": + case "ThreatIndicatorFilePath": + case "threat.indicator.file.size": + case "ThreatIndicatorFileSize": + case "threat.indicator.file.target_path": + case "ThreatIndicatorFileTargetPath": + case "threat.indicator.file.type": + case "ThreatIndicatorFileType": + case "threat.indicator.file.uid": + case "ThreatIndicatorFileUid": + case "threat.indicator.file.hash.md5": + case "ThreatIndicatorFileHashMd5": + case "threat.indicator.file.hash.sha1": + case "ThreatIndicatorFileHashSha1": + case "threat.indicator.file.hash.sha256": + case "ThreatIndicatorFileHashSha256": + case "threat.indicator.file.hash.sha384": + case "ThreatIndicatorFileHashSha384": + case "threat.indicator.file.hash.sha512": + case "ThreatIndicatorFileHashSha512": + case "threat.indicator.file.hash.ssdeep": + case "ThreatIndicatorFileHashSsdeep": + case "threat.indicator.file.hash.tlsh": + case "ThreatIndicatorFileHashTlsh": + case "threat.indicator.file.pe.architecture": + case "ThreatIndicatorFilePeArchitecture": + case "threat.indicator.file.pe.company": + case "ThreatIndicatorFilePeCompany": + case "threat.indicator.file.pe.description": + case "ThreatIndicatorFilePeDescription": + case "threat.indicator.file.pe.file_version": + case "ThreatIndicatorFilePeFileVersion": + case "threat.indicator.file.pe.go_import_hash": + case "ThreatIndicatorFilePeGoImportHash": + case "threat.indicator.file.pe.go_imports": + case "ThreatIndicatorFilePeGoImports": + case "threat.indicator.file.pe.go_imports_names_entropy": + case "ThreatIndicatorFilePeGoImportsNamesEntropy": + case "threat.indicator.file.pe.go_imports_names_var_entropy": + case "ThreatIndicatorFilePeGoImportsNamesVarEntropy": + case "threat.indicator.file.pe.go_stripped": + case "ThreatIndicatorFilePeGoStripped": + case "threat.indicator.file.pe.imphash": + case "ThreatIndicatorFilePeImphash": + case "threat.indicator.file.pe.import_hash": + case "ThreatIndicatorFilePeImportHash": + case "threat.indicator.file.pe.imports_names_entropy": + case "ThreatIndicatorFilePeImportsNamesEntropy": + case "threat.indicator.file.pe.imports_names_var_entropy": + case "ThreatIndicatorFilePeImportsNamesVarEntropy": + case "threat.indicator.file.pe.original_file_name": + case "ThreatIndicatorFilePeOriginalFileName": + case "threat.indicator.file.pe.pehash": + case "ThreatIndicatorFilePePehash": + case "threat.indicator.file.pe.product": + case "ThreatIndicatorFilePeProduct": + case "threat.indicator.file.x509.issuer.distinguished_name": + case "ThreatIndicatorFileX509IssuerDistinguishedName": + case "threat.indicator.file.x509.not_after": + case "ThreatIndicatorFileX509NotAfter": + case "threat.indicator.file.x509.not_before": + case "ThreatIndicatorFileX509NotBefore": + case "threat.indicator.file.x509.public_key_algorithm": + case "ThreatIndicatorFileX509PublicKeyAlgorithm": + case "threat.indicator.file.x509.public_key_curve": + case "ThreatIndicatorFileX509PublicKeyCurve": + case "threat.indicator.file.x509.public_key_exponent": + case "ThreatIndicatorFileX509PublicKeyExponent": + case "threat.indicator.file.x509.public_key_size": + case "ThreatIndicatorFileX509PublicKeySize": + case "threat.indicator.file.x509.serial_number": + case "ThreatIndicatorFileX509SerialNumber": + case "threat.indicator.file.x509.signature_algorithm": + case "ThreatIndicatorFileX509SignatureAlgorithm": + case "threat.indicator.file.x509.subject.distinguished_name": + case "ThreatIndicatorFileX509SubjectDistinguishedName": + case "threat.indicator.file.x509.version_number": + case "ThreatIndicatorFileX509VersionNumber": + case "threat.indicator.file.code_signature.digest_algorithm": + case "ThreatIndicatorFileCodeSignatureDigestAlgorithm": + case "threat.indicator.file.code_signature.exists": + case "ThreatIndicatorFileCodeSignatureExists": + case "threat.indicator.file.code_signature.signing_id": + case "ThreatIndicatorFileCodeSignatureSigningId": + case "threat.indicator.file.code_signature.status": + case "ThreatIndicatorFileCodeSignatureStatus": + case "threat.indicator.file.code_signature.subject_name": + case "ThreatIndicatorFileCodeSignatureSubjectName": + case "threat.indicator.file.code_signature.team_id": + case "ThreatIndicatorFileCodeSignatureTeamId": + case "threat.indicator.file.code_signature.timestamp": + case "ThreatIndicatorFileCodeSignatureTimestamp": + case "threat.indicator.file.code_signature.trusted": + case "ThreatIndicatorFileCodeSignatureTrusted": + case "threat.indicator.file.code_signature.valid": + case "ThreatIndicatorFileCodeSignatureValid": + case "threat.indicator.file.elf.architecture": + case "ThreatIndicatorFileElfArchitecture": + case "threat.indicator.file.elf.byte_order": + case "ThreatIndicatorFileElfByteOrder": + case "threat.indicator.file.elf.cpu_type": + case "ThreatIndicatorFileElfCpuType": + case "threat.indicator.file.elf.creation_date": + case "ThreatIndicatorFileElfCreationDate": + case "threat.indicator.file.elf.go_import_hash": + case "ThreatIndicatorFileElfGoImportHash": + case "threat.indicator.file.elf.go_imports": + case "ThreatIndicatorFileElfGoImports": + case "threat.indicator.file.elf.go_imports_names_entropy": + case "ThreatIndicatorFileElfGoImportsNamesEntropy": + case "threat.indicator.file.elf.go_imports_names_var_entropy": + case "ThreatIndicatorFileElfGoImportsNamesVarEntropy": + case "threat.indicator.file.elf.go_stripped": + case "ThreatIndicatorFileElfGoStripped": + case "threat.indicator.file.elf.header.abi_version": + case "ThreatIndicatorFileElfHeaderAbiVersion": + case "threat.indicator.file.elf.header.class": + case "ThreatIndicatorFileElfHeaderClass": + case "threat.indicator.file.elf.header.data": + case "ThreatIndicatorFileElfHeaderData": + case "threat.indicator.file.elf.header.entrypoint": + case "ThreatIndicatorFileElfHeaderEntrypoint": + case "threat.indicator.file.elf.header.object_version": + case "ThreatIndicatorFileElfHeaderObjectVersion": + case "threat.indicator.file.elf.header.os_abi": + case "ThreatIndicatorFileElfHeaderOsAbi": + case "threat.indicator.file.elf.header.type": + case "ThreatIndicatorFileElfHeaderType": + case "threat.indicator.file.elf.header.version": + case "ThreatIndicatorFileElfHeaderVersion": + case "threat.indicator.file.elf.import_hash": + case "ThreatIndicatorFileElfImportHash": + case "threat.indicator.file.elf.imports_names_entropy": + case "ThreatIndicatorFileElfImportsNamesEntropy": + case "threat.indicator.file.elf.imports_names_var_entropy": + case "ThreatIndicatorFileElfImportsNamesVarEntropy": + case "threat.indicator.file.elf.telfhash": + case "ThreatIndicatorFileElfTelfhash": + case "threat.indicator.file.macho.go_import_hash": + case "ThreatIndicatorFileMachoGoImportHash": + case "threat.indicator.file.macho.go_imports": + case "ThreatIndicatorFileMachoGoImports": + case "threat.indicator.file.macho.go_imports_names_entropy": + case "ThreatIndicatorFileMachoGoImportsNamesEntropy": + case "threat.indicator.file.macho.go_imports_names_var_entropy": + case "ThreatIndicatorFileMachoGoImportsNamesVarEntropy": + case "threat.indicator.file.macho.go_stripped": + case "ThreatIndicatorFileMachoGoStripped": + case "threat.indicator.file.macho.import_hash": + case "ThreatIndicatorFileMachoImportHash": + case "threat.indicator.file.macho.imports_names_entropy": + case "ThreatIndicatorFileMachoImportsNamesEntropy": + case "threat.indicator.file.macho.imports_names_var_entropy": + case "ThreatIndicatorFileMachoImportsNamesVarEntropy": + case "threat.indicator.file.macho.symhash": + case "ThreatIndicatorFileMachoSymhash": + case "threat.indicator.geo.city_name": + case "ThreatIndicatorGeoCityName": + case "threat.indicator.geo.continent_code": + case "ThreatIndicatorGeoContinentCode": + case "threat.indicator.geo.continent_name": + case "ThreatIndicatorGeoContinentName": + case "threat.indicator.geo.country_iso_code": + case "ThreatIndicatorGeoCountryIsoCode": + case "threat.indicator.geo.country_name": + case "ThreatIndicatorGeoCountryName": + case "threat.indicator.geo.name": + case "ThreatIndicatorGeoName": + case "threat.indicator.geo.postal_code": + case "ThreatIndicatorGeoPostalCode": + case "threat.indicator.geo.region_iso_code": + case "ThreatIndicatorGeoRegionIsoCode": + case "threat.indicator.geo.region_name": + case "ThreatIndicatorGeoRegionName": + case "threat.indicator.geo.timezone": + case "ThreatIndicatorGeoTimezone": + case "threat.indicator.registry.data.bytes": + case "ThreatIndicatorRegistryDataBytes": + case "threat.indicator.registry.data.type": + case "ThreatIndicatorRegistryDataType": + case "threat.indicator.registry.hive": + case "ThreatIndicatorRegistryHive": + case "threat.indicator.registry.key": + case "ThreatIndicatorRegistryKey": + case "threat.indicator.registry.path": + case "ThreatIndicatorRegistryPath": + case "threat.indicator.registry.value": + case "ThreatIndicatorRegistryValue": + case "threat.indicator.url.domain": + case "ThreatIndicatorUrlDomain": + case "threat.indicator.url.extension": + case "ThreatIndicatorUrlExtension": + case "threat.indicator.url.fragment": + case "ThreatIndicatorUrlFragment": + case "threat.indicator.url.full": + case "ThreatIndicatorUrlFull": + case "threat.indicator.url.original": + case "ThreatIndicatorUrlOriginal": + case "threat.indicator.url.password": + case "ThreatIndicatorUrlPassword": + case "threat.indicator.url.path": + case "ThreatIndicatorUrlPath": + case "threat.indicator.url.port": + case "ThreatIndicatorUrlPort": + case "threat.indicator.url.query": + case "ThreatIndicatorUrlQuery": + case "threat.indicator.url.registered_domain": + case "ThreatIndicatorUrlRegisteredDomain": + case "threat.indicator.url.scheme": + case "ThreatIndicatorUrlScheme": + case "threat.indicator.url.subdomain": + case "ThreatIndicatorUrlSubdomain": + case "threat.indicator.url.top_level_domain": + case "ThreatIndicatorUrlTopLevelDomain": + case "threat.indicator.url.username": + case "ThreatIndicatorUrlUsername": return TrySetThreat(document, path, value); case "tls.cipher": case "TlsCipher": @@ -2910,28 +2910,28 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "TlsVersion": case "tls.version_protocol": case "TlsVersionProtocol": - case "tls.x509.issuer.distinguished_name": - case "TlsX509IssuerDistinguishedName": - case "tls.x509.not_after": - case "TlsX509NotAfter": - case "tls.x509.not_before": - case "TlsX509NotBefore": - case "tls.x509.public_key_algorithm": - case "TlsX509PublicKeyAlgorithm": - case "tls.x509.public_key_curve": - case "TlsX509PublicKeyCurve": - case "tls.x509.public_key_exponent": - case "TlsX509PublicKeyExponent": - case "tls.x509.public_key_size": - case "TlsX509PublicKeySize": - case "tls.x509.serial_number": - case "TlsX509SerialNumber": - case "tls.x509.signature_algorithm": - case "TlsX509SignatureAlgorithm": - case "tls.x509.subject.distinguished_name": - case "TlsX509SubjectDistinguishedName": - case "tls.x509.version_number": - case "TlsX509VersionNumber": + case "tls.client.x509.issuer.distinguished_name": + case "TlsClientX509IssuerDistinguishedName": + case "tls.client.x509.not_after": + case "TlsClientX509NotAfter": + case "tls.client.x509.not_before": + case "TlsClientX509NotBefore": + case "tls.client.x509.public_key_algorithm": + case "TlsClientX509PublicKeyAlgorithm": + case "tls.client.x509.public_key_curve": + case "TlsClientX509PublicKeyCurve": + case "tls.client.x509.public_key_exponent": + case "TlsClientX509PublicKeyExponent": + case "tls.client.x509.public_key_size": + case "TlsClientX509PublicKeySize": + case "tls.client.x509.serial_number": + case "TlsClientX509SerialNumber": + case "tls.client.x509.signature_algorithm": + case "TlsClientX509SignatureAlgorithm": + case "tls.client.x509.subject.distinguished_name": + case "TlsClientX509SubjectDistinguishedName": + case "tls.client.x509.version_number": + case "TlsClientX509VersionNumber": return TrySetTls(document, path, value); case "url.domain": case "UrlDomain": @@ -2992,18 +2992,18 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "UserRiskStaticScore": case "user.risk.static_score_norm": case "UserRiskStaticScoreNorm": - case "user.user.domain": - case "UserUserDomain": - case "user.user.email": - case "UserUserEmail": - case "user.user.full_name": - case "UserUserFullName": - case "user.user.hash": - case "UserUserHash": - case "user.user.id": - case "UserUserId": - case "user.user.name": - case "UserUserName": + case "target.user.domain": + case "TargetUserDomain": + case "target.user.email": + case "TargetUserEmail": + case "target.user.full_name": + case "TargetUserFullName": + case "target.user.hash": + case "TargetUserHash": + case "target.user.id": + case "TargetUserId": + case "target.user.name": + case "TargetUserName": return TrySetUser(document, path, value); case "user_agent.device.name": case "UserAgentDeviceName": @@ -3105,7 +3105,7 @@ public static bool TrySetEcsDocument(EcsDocument document, string path, object v return assign != null && assign(document, value); } - public static bool TrySetAgent(EcsDocument document, string path, object value) + public static Func TryAssignAgent(string path) { Func assign = path switch { @@ -3123,6 +3123,11 @@ public static bool TrySetAgent(EcsDocument document, string path, object value) "AgentVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetAgent(EcsDocument document, string path, object value) + { + var assign = TryAssignAgent(path); if (assign == null) return false; var entity = document.Agent ?? new Agent(); @@ -3131,7 +3136,30 @@ public static bool TrySetAgent(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetClient(EcsDocument document, string path, object value) + public static Func TryAssignAs(string path) + { + Func assign = path switch + { + "as.number" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), + "AsNumber" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), + "as.organization.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), + "AsOrganizationName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), + _ => null + }; + return assign; + } + public static bool TrySetAs(IAs document, string path, object value) + { + var assign = TryAssignAs(path); + if (assign == null) return false; + + var entity = document.As ?? new As(); + var assigned = assign(entity, value); + if (assigned) document.As = entity; + return assigned; + } + + public static Func TryAssignClient(string path) { Func assign = path switch { @@ -3159,74 +3187,79 @@ public static bool TrySetClient(EcsDocument document, string path, object value) "ClientSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "client.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "ClientTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "client.as.number" => static (e, v) => TrySetAs(e, "as.number", v), - "ClientAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), - "client.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "ClientAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "client.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "ClientGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "client.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "ClientGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "client.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "ClientGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "client.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "ClientGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "client.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "ClientGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "client.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), - "ClientGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), - "client.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "ClientGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "client.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "ClientGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "client.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "ClientGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "client.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "ClientGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "client.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), - "ClientUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), - "client.user.email" => static (e, v) => TrySetUser(e, "user.email", v), - "ClientUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), - "client.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), - "ClientUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), - "client.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), - "ClientUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), - "client.user.id" => static (e, v) => TrySetUser(e, "user.id", v), - "ClientUserId" => static (e, v) => TrySetUser(e, "user.id", v), - "client.user.name" => static (e, v) => TrySetUser(e, "user.name", v), - "ClientUserName" => static (e, v) => TrySetUser(e, "user.name", v), - "client.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "ClientUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "client.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), - "ClientUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), - "client.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), - "ClientUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), - "client.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "ClientUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "client.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "ClientUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "client.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "ClientUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "client.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "ClientUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "client.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "ClientUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "client.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "ClientUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "client.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "ClientUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "client.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), - "ClientUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), - "client.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "ClientUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "client.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "ClientUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "client.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), - "ClientUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), - "client.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), - "ClientUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), + "client.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), + "ClientAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), + "client.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), + "ClientAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), + "client.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "ClientGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "client.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "ClientGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "client.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "ClientGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "client.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "ClientGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "client.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "ClientGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "client.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "ClientGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "client.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "ClientGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "client.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "ClientGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "client.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "ClientGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "client.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "ClientGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "client.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "ClientUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "client.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "ClientUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "client.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "ClientUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "client.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "ClientUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "client.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "ClientUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "client.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "ClientUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "client.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "ClientUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "client.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "ClientUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "client.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "ClientUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "client.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "ClientUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "client.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "ClientUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "client.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "ClientUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "client.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "ClientUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "client.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "ClientUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "client.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "ClientUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "client.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "ClientUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "client.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "ClientUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "client.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "ClientUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "client.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "ClientUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "client.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "ClientUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "client.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "ClientUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), _ => null }; + return assign; + } + public static bool TrySetClient(EcsDocument document, string path, object value) + { + var assign = TryAssignClient(path); if (assign == null) return false; var entity = document.Client ?? new Client(); @@ -3235,7 +3268,7 @@ public static bool TrySetClient(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetCloud(EcsDocument document, string path, object value) + public static Func TryAssignCloud(string path) { Func assign = path switch { @@ -3261,30 +3294,35 @@ public static bool TrySetCloud(EcsDocument document, string path, object value) "CloudRegion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), "cloud.service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), - "cloud.cloud.account.id" => static (e, v) => TrySetCloudOrigin(e, "cloud.account.id", v), - "CloudCloudAccountId" => static (e, v) => TrySetCloudOrigin(e, "cloud.account.id", v), - "cloud.cloud.account.name" => static (e, v) => TrySetCloudOrigin(e, "cloud.account.name", v), - "CloudCloudAccountName" => static (e, v) => TrySetCloudOrigin(e, "cloud.account.name", v), - "cloud.cloud.availability_zone" => static (e, v) => TrySetCloudOrigin(e, "cloud.availability_zone", v), - "CloudCloudAvailabilityZone" => static (e, v) => TrySetCloudOrigin(e, "cloud.availability_zone", v), - "cloud.cloud.instance.id" => static (e, v) => TrySetCloudOrigin(e, "cloud.instance.id", v), - "CloudCloudInstanceId" => static (e, v) => TrySetCloudOrigin(e, "cloud.instance.id", v), - "cloud.cloud.instance.name" => static (e, v) => TrySetCloudOrigin(e, "cloud.instance.name", v), - "CloudCloudInstanceName" => static (e, v) => TrySetCloudOrigin(e, "cloud.instance.name", v), - "cloud.cloud.machine.type" => static (e, v) => TrySetCloudOrigin(e, "cloud.machine.type", v), - "CloudCloudMachineType" => static (e, v) => TrySetCloudOrigin(e, "cloud.machine.type", v), - "cloud.cloud.project.id" => static (e, v) => TrySetCloudOrigin(e, "cloud.project.id", v), - "CloudCloudProjectId" => static (e, v) => TrySetCloudOrigin(e, "cloud.project.id", v), - "cloud.cloud.project.name" => static (e, v) => TrySetCloudOrigin(e, "cloud.project.name", v), - "CloudCloudProjectName" => static (e, v) => TrySetCloudOrigin(e, "cloud.project.name", v), - "cloud.cloud.provider" => static (e, v) => TrySetCloudOrigin(e, "cloud.provider", v), - "CloudCloudProvider" => static (e, v) => TrySetCloudOrigin(e, "cloud.provider", v), - "cloud.cloud.region" => static (e, v) => TrySetCloudOrigin(e, "cloud.region", v), - "CloudCloudRegion" => static (e, v) => TrySetCloudOrigin(e, "cloud.region", v), - "cloud.cloud.service.name" => static (e, v) => TrySetCloudOrigin(e, "cloud.service.name", v), - "CloudCloudServiceName" => static (e, v) => TrySetCloudOrigin(e, "cloud.service.name", v), + "origin.cloud.account.id" => static (e, v) => TryAssignCloudOrigin("cloud.account.id")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudAccountId" => static (e, v) => TryAssignCloudOrigin("cloud.account.id")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.account.name" => static (e, v) => TryAssignCloudOrigin("cloud.account.name")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudAccountName" => static (e, v) => TryAssignCloudOrigin("cloud.account.name")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.availability_zone" => static (e, v) => TryAssignCloudOrigin("cloud.availability_zone")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudAvailabilityZone" => static (e, v) => TryAssignCloudOrigin("cloud.availability_zone")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.instance.id" => static (e, v) => TryAssignCloudOrigin("cloud.instance.id")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudInstanceId" => static (e, v) => TryAssignCloudOrigin("cloud.instance.id")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.instance.name" => static (e, v) => TryAssignCloudOrigin("cloud.instance.name")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudInstanceName" => static (e, v) => TryAssignCloudOrigin("cloud.instance.name")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.machine.type" => static (e, v) => TryAssignCloudOrigin("cloud.machine.type")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudMachineType" => static (e, v) => TryAssignCloudOrigin("cloud.machine.type")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.project.id" => static (e, v) => TryAssignCloudOrigin("cloud.project.id")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudProjectId" => static (e, v) => TryAssignCloudOrigin("cloud.project.id")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.project.name" => static (e, v) => TryAssignCloudOrigin("cloud.project.name")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudProjectName" => static (e, v) => TryAssignCloudOrigin("cloud.project.name")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.provider" => static (e, v) => TryAssignCloudOrigin("cloud.provider")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudProvider" => static (e, v) => TryAssignCloudOrigin("cloud.provider")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.region" => static (e, v) => TryAssignCloudOrigin("cloud.region")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudRegion" => static (e, v) => TryAssignCloudOrigin("cloud.region")(e.Origin ?? new CloudOrigin(),v), + "origin.cloud.service.name" => static (e, v) => TryAssignCloudOrigin("cloud.service.name")(e.Origin ?? new CloudOrigin(),v), + "OriginCloudServiceName" => static (e, v) => TryAssignCloudOrigin("cloud.service.name")(e.Origin ?? new CloudOrigin(),v), _ => null }; + return assign; + } + public static bool TrySetCloud(EcsDocument document, string path, object value) + { + var assign = TryAssignCloud(path); if (assign == null) return false; var entity = document.Cloud ?? new Cloud(); @@ -3293,7 +3331,44 @@ public static bool TrySetCloud(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetContainer(EcsDocument document, string path, object value) + public static Func TryAssignCodeSignature(string path) + { + Func assign = path switch + { + "code_signature.digest_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DigestAlgorithm = p), + "CodeSignatureDigestAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DigestAlgorithm = p), + "code_signature.exists" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Exists = p), + "CodeSignatureExists" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Exists = p), + "code_signature.signing_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SigningId = p), + "CodeSignatureSigningId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SigningId = p), + "code_signature.status" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Status = p), + "CodeSignatureStatus" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Status = p), + "code_signature.subject_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectName = p), + "CodeSignatureSubjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectName = p), + "code_signature.team_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TeamId = p), + "CodeSignatureTeamId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TeamId = p), + "code_signature.timestamp" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Timestamp = p), + "CodeSignatureTimestamp" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Timestamp = p), + "code_signature.trusted" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Trusted = p), + "CodeSignatureTrusted" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Trusted = p), + "code_signature.valid" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Valid = p), + "CodeSignatureValid" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Valid = p), + _ => null + }; + return assign; + } + public static bool TrySetCodeSignature(ICodeSignature document, string path, object value) + { + var assign = TryAssignCodeSignature(path); + if (assign == null) return false; + + var entity = document.CodeSignature ?? new CodeSignature(); + var assigned = assign(entity, value); + if (assigned) document.CodeSignature = entity; + return assigned; + } + + public static Func TryAssignContainer(string path) { Func assign = path switch { @@ -3321,6 +3396,11 @@ public static bool TrySetContainer(EcsDocument document, string path, object val "ContainerSecurityContextPrivileged" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.SecurityContextPrivileged = p), _ => null }; + return assign; + } + public static bool TrySetContainer(EcsDocument document, string path, object value) + { + var assign = TryAssignContainer(path); if (assign == null) return false; var entity = document.Container ?? new Container(); @@ -3329,7 +3409,7 @@ public static bool TrySetContainer(EcsDocument document, string path, object val return assigned; } - public static bool TrySetDataStream(EcsDocument document, string path, object value) + public static Func TryAssignDataStream(string path) { Func assign = path switch { @@ -3341,6 +3421,11 @@ public static bool TrySetDataStream(EcsDocument document, string path, object va "DataStreamType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), _ => null }; + return assign; + } + public static bool TrySetDataStream(EcsDocument document, string path, object value) + { + var assign = TryAssignDataStream(path); if (assign == null) return false; var entity = document.DataStream ?? new DataStream(); @@ -3349,7 +3434,7 @@ public static bool TrySetDataStream(EcsDocument document, string path, object va return assigned; } - public static bool TrySetDestination(EcsDocument document, string path, object value) + public static Func TryAssignDestination(string path) { Func assign = path switch { @@ -3377,74 +3462,79 @@ public static bool TrySetDestination(EcsDocument document, string path, object v "DestinationSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "destination.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "DestinationTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "destination.as.number" => static (e, v) => TrySetAs(e, "as.number", v), - "DestinationAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), - "destination.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "DestinationAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "destination.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "DestinationGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "destination.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "DestinationGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "destination.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "DestinationGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "destination.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "DestinationGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "destination.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "DestinationGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "destination.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), - "DestinationGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), - "destination.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "DestinationGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "destination.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "DestinationGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "destination.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "DestinationGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "destination.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "DestinationGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "destination.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), - "DestinationUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), - "destination.user.email" => static (e, v) => TrySetUser(e, "user.email", v), - "DestinationUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), - "destination.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), - "DestinationUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), - "destination.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), - "DestinationUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), - "destination.user.id" => static (e, v) => TrySetUser(e, "user.id", v), - "DestinationUserId" => static (e, v) => TrySetUser(e, "user.id", v), - "destination.user.name" => static (e, v) => TrySetUser(e, "user.name", v), - "DestinationUserName" => static (e, v) => TrySetUser(e, "user.name", v), - "destination.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "DestinationUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "destination.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), - "DestinationUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), - "destination.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), - "DestinationUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), - "destination.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "DestinationUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "destination.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "DestinationUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "destination.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "DestinationUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "destination.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "DestinationUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "destination.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "DestinationUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "destination.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "DestinationUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "destination.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "DestinationUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "destination.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), - "DestinationUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), - "destination.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "DestinationUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "destination.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "DestinationUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "destination.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), - "DestinationUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), - "destination.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), - "DestinationUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), + "destination.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), + "DestinationAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), + "destination.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), + "DestinationAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), + "destination.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "DestinationGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "destination.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "DestinationGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "destination.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "DestinationGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "destination.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "DestinationGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "destination.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "DestinationGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "destination.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "DestinationGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "destination.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "DestinationGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "destination.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "DestinationGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "destination.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "DestinationGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "destination.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "DestinationGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "destination.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "DestinationUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "destination.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "DestinationUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "destination.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "DestinationUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "destination.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "DestinationUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "destination.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "DestinationUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "destination.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "DestinationUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "destination.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "DestinationUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "destination.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "DestinationUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "destination.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "DestinationUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "destination.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "DestinationUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "destination.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "DestinationUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "destination.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "DestinationUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "destination.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "DestinationUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "destination.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "DestinationUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "destination.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "DestinationUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "destination.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "DestinationUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "destination.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "DestinationUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "destination.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "DestinationUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "destination.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "DestinationUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "destination.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "DestinationUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "destination.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "DestinationUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), _ => null }; + return assign; + } + public static bool TrySetDestination(EcsDocument document, string path, object value) + { + var assign = TryAssignDestination(path); if (assign == null) return false; var entity = document.Destination ?? new Destination(); @@ -3453,7 +3543,7 @@ public static bool TrySetDestination(EcsDocument document, string path, object v return assigned; } - public static bool TrySetDevice(EcsDocument document, string path, object value) + public static Func TryAssignDevice(string path) { Func assign = path switch { @@ -3467,6 +3557,11 @@ public static bool TrySetDevice(EcsDocument document, string path, object value) "DeviceModelName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ModelName = p), _ => null }; + return assign; + } + public static bool TrySetDevice(EcsDocument document, string path, object value) + { + var assign = TryAssignDevice(path); if (assign == null) return false; var entity = document.Device ?? new Device(); @@ -3475,7 +3570,7 @@ public static bool TrySetDevice(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetDll(EcsDocument document, string path, object value) + public static Func TryAssignDll(string path) { Func assign = path switch { @@ -3483,72 +3578,77 @@ public static bool TrySetDll(EcsDocument document, string path, object value) "DllName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "dll.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), "DllPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), - "dll.hash.md5" => static (e, v) => TrySetHash(e, "hash.md5", v), - "DllHashMd5" => static (e, v) => TrySetHash(e, "hash.md5", v), - "dll.hash.sha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), - "DllHashSha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), - "dll.hash.sha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), - "DllHashSha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), - "dll.hash.sha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), - "DllHashSha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), - "dll.hash.sha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), - "DllHashSha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), - "dll.hash.ssdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), - "DllHashSsdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), - "dll.hash.tlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), - "DllHashTlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), - "dll.pe.architecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), - "DllPeArchitecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), - "dll.pe.company" => static (e, v) => TrySetPe(e, "pe.company", v), - "DllPeCompany" => static (e, v) => TrySetPe(e, "pe.company", v), - "dll.pe.description" => static (e, v) => TrySetPe(e, "pe.description", v), - "DllPeDescription" => static (e, v) => TrySetPe(e, "pe.description", v), - "dll.pe.file_version" => static (e, v) => TrySetPe(e, "pe.file_version", v), - "DllPeFileVersion" => static (e, v) => TrySetPe(e, "pe.file_version", v), - "dll.pe.go_import_hash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), - "DllPeGoImportHash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), - "dll.pe.go_imports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), - "DllPeGoImports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), - "dll.pe.go_imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), - "DllPeGoImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), - "dll.pe.go_imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), - "DllPeGoImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), - "dll.pe.go_stripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), - "DllPeGoStripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), - "dll.pe.imphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), - "DllPeImphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), - "dll.pe.import_hash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), - "DllPeImportHash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), - "dll.pe.imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), - "DllPeImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), - "dll.pe.imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), - "DllPeImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), - "dll.pe.original_file_name" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), - "DllPeOriginalFileName" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), - "dll.pe.pehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), - "DllPePehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), - "dll.pe.product" => static (e, v) => TrySetPe(e, "pe.product", v), - "DllPeProduct" => static (e, v) => TrySetPe(e, "pe.product", v), - "dll.code_signature.digest_algorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), - "DllCodeSignatureDigestAlgorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), - "dll.code_signature.exists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), - "DllCodeSignatureExists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), - "dll.code_signature.signing_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), - "DllCodeSignatureSigningId" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), - "dll.code_signature.status" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), - "DllCodeSignatureStatus" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), - "dll.code_signature.subject_name" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), - "DllCodeSignatureSubjectName" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), - "dll.code_signature.team_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), - "DllCodeSignatureTeamId" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), - "dll.code_signature.timestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), - "DllCodeSignatureTimestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), - "dll.code_signature.trusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), - "DllCodeSignatureTrusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), - "dll.code_signature.valid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), - "DllCodeSignatureValid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), + "dll.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), + "DllHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), + "dll.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), + "DllHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), + "dll.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), + "DllHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), + "dll.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), + "DllHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), + "dll.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), + "DllHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), + "dll.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), + "DllHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), + "dll.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), + "DllHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), + "dll.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), + "DllPeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), + "dll.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), + "DllPeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), + "dll.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), + "DllPeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), + "dll.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), + "DllPeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), + "dll.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), + "DllPeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), + "dll.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), + "DllPeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), + "dll.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), + "DllPeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), + "dll.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "DllPeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "dll.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), + "DllPeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), + "dll.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), + "DllPeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), + "dll.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), + "DllPeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), + "dll.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), + "DllPeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), + "dll.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "DllPeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "dll.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), + "DllPeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), + "dll.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), + "DllPePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), + "dll.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), + "DllPeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), + "dll.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), + "DllCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), + "dll.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), + "DllCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), + "dll.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), + "DllCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), + "dll.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), + "DllCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), + "dll.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), + "DllCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), + "dll.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), + "DllCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), + "dll.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), + "DllCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), + "dll.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), + "DllCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), + "dll.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), + "DllCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), _ => null }; + return assign; + } + public static bool TrySetDll(EcsDocument document, string path, object value) + { + var assign = TryAssignDll(path); if (assign == null) return false; var entity = document.Dll ?? new Dll(); @@ -3557,7 +3657,7 @@ public static bool TrySetDll(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetDns(EcsDocument document, string path, object value) + public static Func TryAssignDns(string path) { Func assign = path switch { @@ -3583,6 +3683,11 @@ public static bool TrySetDns(EcsDocument document, string path, object value) "DnsType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), _ => null }; + return assign; + } + public static bool TrySetDns(EcsDocument document, string path, object value) + { + var assign = TryAssignDns(path); if (assign == null) return false; var entity = document.Dns ?? new Dns(); @@ -3591,7 +3696,7 @@ public static bool TrySetDns(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetEcs(EcsDocument document, string path, object value) + public static Func TryAssignEcs(string path) { Func assign = path switch { @@ -3599,6 +3704,11 @@ public static bool TrySetEcs(EcsDocument document, string path, object value) "EcsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetEcs(EcsDocument document, string path, object value) + { + var assign = TryAssignEcs(path); if (assign == null) return false; var entity = document.Ecs ?? new Ecs(); @@ -3607,7 +3717,68 @@ public static bool TrySetEcs(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetEmail(EcsDocument document, string path, object value) + public static Func TryAssignElf(string path) + { + Func assign = path switch + { + "elf.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "ElfArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "elf.byte_order" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ByteOrder = p), + "ElfByteOrder" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ByteOrder = p), + "elf.cpu_type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CpuType = p), + "ElfCpuType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CpuType = p), + "elf.creation_date" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.CreationDate = p), + "ElfCreationDate" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.CreationDate = p), + "elf.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "ElfGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "elf.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "ElfGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "elf.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "ElfGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "elf.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "ElfGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "elf.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "ElfGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "elf.header.abi_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderAbiVersion = p), + "ElfHeaderAbiVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderAbiVersion = p), + "elf.header.class" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderClass = p), + "ElfHeaderClass" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderClass = p), + "elf.header.data" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderData = p), + "ElfHeaderData" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderData = p), + "elf.header.entrypoint" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.HeaderEntrypoint = p), + "ElfHeaderEntrypoint" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.HeaderEntrypoint = p), + "elf.header.object_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderObjectVersion = p), + "ElfHeaderObjectVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderObjectVersion = p), + "elf.header.os_abi" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderOsAbi = p), + "ElfHeaderOsAbi" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderOsAbi = p), + "elf.header.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderType = p), + "ElfHeaderType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderType = p), + "elf.header.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderVersion = p), + "ElfHeaderVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderVersion = p), + "elf.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "ElfImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "elf.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "ElfImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "elf.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "ElfImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "elf.telfhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Telfhash = p), + "ElfTelfhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Telfhash = p), + _ => null + }; + return assign; + } + public static bool TrySetElf(IElf document, string path, object value) + { + var assign = TryAssignElf(path); + if (assign == null) return false; + + var entity = document.Elf ?? new Elf(); + var assigned = assign(entity, value); + if (assigned) document.Elf = entity; + return assigned; + } + + public static Func TryAssignEmail(string path) { Func assign = path switch { @@ -3631,6 +3802,11 @@ public static bool TrySetEmail(EcsDocument document, string path, object value) "EmailXMailer" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.XMailer = p), _ => null }; + return assign; + } + public static bool TrySetEmail(EcsDocument document, string path, object value) + { + var assign = TryAssignEmail(path); if (assign == null) return false; var entity = document.Email ?? new Email(); @@ -3639,7 +3815,7 @@ public static bool TrySetEmail(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetError(EcsDocument document, string path, object value) + public static Func TryAssignError(string path) { Func assign = path switch { @@ -3655,6 +3831,11 @@ public static bool TrySetError(EcsDocument document, string path, object value) "ErrorType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), _ => null }; + return assign; + } + public static bool TrySetError(EcsDocument document, string path, object value) + { + var assign = TryAssignError(path); if (assign == null) return false; var entity = document.Error ?? new Error(); @@ -3663,7 +3844,7 @@ public static bool TrySetError(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetEvent(EcsDocument document, string path, object value) + public static Func TryAssignEvent(string path) { Func assign = path switch { @@ -3717,6 +3898,11 @@ public static bool TrySetEvent(EcsDocument document, string path, object value) "EventUrl" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Url = p), _ => null }; + return assign; + } + public static bool TrySetEvent(EcsDocument document, string path, object value) + { + var assign = TryAssignEvent(path); if (assign == null) return false; var entity = document.Event ?? new Event(); @@ -3725,7 +3911,7 @@ public static bool TrySetEvent(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetFaas(EcsDocument document, string path, object value) + public static Func TryAssignFaas(string path) { Func assign = path switch { @@ -3745,6 +3931,11 @@ public static bool TrySetFaas(EcsDocument document, string path, object value) "FaasVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetFaas(EcsDocument document, string path, object value) + { + var assign = TryAssignFaas(path); if (assign == null) return false; var entity = document.Faas ?? new Faas(); @@ -3753,7 +3944,7 @@ public static bool TrySetFaas(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetFile(EcsDocument document, string path, object value) + public static Func TryAssignFile(string path) { Func assign = path switch { @@ -3799,154 +3990,159 @@ public static bool TrySetFile(EcsDocument document, string path, object value) "FileType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "file.uid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), "FileUid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), - "file.hash.md5" => static (e, v) => TrySetHash(e, "hash.md5", v), - "FileHashMd5" => static (e, v) => TrySetHash(e, "hash.md5", v), - "file.hash.sha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), - "FileHashSha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), - "file.hash.sha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), - "FileHashSha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), - "file.hash.sha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), - "FileHashSha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), - "file.hash.sha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), - "FileHashSha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), - "file.hash.ssdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), - "FileHashSsdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), - "file.hash.tlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), - "FileHashTlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), - "file.pe.architecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), - "FilePeArchitecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), - "file.pe.company" => static (e, v) => TrySetPe(e, "pe.company", v), - "FilePeCompany" => static (e, v) => TrySetPe(e, "pe.company", v), - "file.pe.description" => static (e, v) => TrySetPe(e, "pe.description", v), - "FilePeDescription" => static (e, v) => TrySetPe(e, "pe.description", v), - "file.pe.file_version" => static (e, v) => TrySetPe(e, "pe.file_version", v), - "FilePeFileVersion" => static (e, v) => TrySetPe(e, "pe.file_version", v), - "file.pe.go_import_hash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), - "FilePeGoImportHash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), - "file.pe.go_imports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), - "FilePeGoImports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), - "file.pe.go_imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), - "FilePeGoImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), - "file.pe.go_imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), - "FilePeGoImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), - "file.pe.go_stripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), - "FilePeGoStripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), - "file.pe.imphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), - "FilePeImphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), - "file.pe.import_hash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), - "FilePeImportHash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), - "file.pe.imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), - "FilePeImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), - "file.pe.imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), - "FilePeImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), - "file.pe.original_file_name" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), - "FilePeOriginalFileName" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), - "file.pe.pehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), - "FilePePehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), - "file.pe.product" => static (e, v) => TrySetPe(e, "pe.product", v), - "FilePeProduct" => static (e, v) => TrySetPe(e, "pe.product", v), - "file.x509.issuer.distinguished_name" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), - "FileX509IssuerDistinguishedName" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), - "file.x509.not_after" => static (e, v) => TrySetX509(e, "x509.not_after", v), - "FileX509NotAfter" => static (e, v) => TrySetX509(e, "x509.not_after", v), - "file.x509.not_before" => static (e, v) => TrySetX509(e, "x509.not_before", v), - "FileX509NotBefore" => static (e, v) => TrySetX509(e, "x509.not_before", v), - "file.x509.public_key_algorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), - "FileX509PublicKeyAlgorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), - "file.x509.public_key_curve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), - "FileX509PublicKeyCurve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), - "file.x509.public_key_exponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), - "FileX509PublicKeyExponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), - "file.x509.public_key_size" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), - "FileX509PublicKeySize" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), - "file.x509.serial_number" => static (e, v) => TrySetX509(e, "x509.serial_number", v), - "FileX509SerialNumber" => static (e, v) => TrySetX509(e, "x509.serial_number", v), - "file.x509.signature_algorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), - "FileX509SignatureAlgorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), - "file.x509.subject.distinguished_name" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), - "FileX509SubjectDistinguishedName" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), - "file.x509.version_number" => static (e, v) => TrySetX509(e, "x509.version_number", v), - "FileX509VersionNumber" => static (e, v) => TrySetX509(e, "x509.version_number", v), - "file.code_signature.digest_algorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), - "FileCodeSignatureDigestAlgorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), - "file.code_signature.exists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), - "FileCodeSignatureExists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), - "file.code_signature.signing_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), - "FileCodeSignatureSigningId" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), - "file.code_signature.status" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), - "FileCodeSignatureStatus" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), - "file.code_signature.subject_name" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), - "FileCodeSignatureSubjectName" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), - "file.code_signature.team_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), - "FileCodeSignatureTeamId" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), - "file.code_signature.timestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), - "FileCodeSignatureTimestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), - "file.code_signature.trusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), - "FileCodeSignatureTrusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), - "file.code_signature.valid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), - "FileCodeSignatureValid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), - "file.elf.architecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), - "FileElfArchitecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), - "file.elf.byte_order" => static (e, v) => TrySetElf(e, "elf.byte_order", v), - "FileElfByteOrder" => static (e, v) => TrySetElf(e, "elf.byte_order", v), - "file.elf.cpu_type" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), - "FileElfCpuType" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), - "file.elf.creation_date" => static (e, v) => TrySetElf(e, "elf.creation_date", v), - "FileElfCreationDate" => static (e, v) => TrySetElf(e, "elf.creation_date", v), - "file.elf.go_import_hash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), - "FileElfGoImportHash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), - "file.elf.go_imports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), - "FileElfGoImports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), - "file.elf.go_imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), - "FileElfGoImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), - "file.elf.go_imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), - "FileElfGoImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), - "file.elf.go_stripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), - "FileElfGoStripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), - "file.elf.header.abi_version" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), - "FileElfHeaderAbiVersion" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), - "file.elf.header.class" => static (e, v) => TrySetElf(e, "elf.header.class", v), - "FileElfHeaderClass" => static (e, v) => TrySetElf(e, "elf.header.class", v), - "file.elf.header.data" => static (e, v) => TrySetElf(e, "elf.header.data", v), - "FileElfHeaderData" => static (e, v) => TrySetElf(e, "elf.header.data", v), - "file.elf.header.entrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), - "FileElfHeaderEntrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), - "file.elf.header.object_version" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), - "FileElfHeaderObjectVersion" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), - "file.elf.header.os_abi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), - "FileElfHeaderOsAbi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), - "file.elf.header.type" => static (e, v) => TrySetElf(e, "elf.header.type", v), - "FileElfHeaderType" => static (e, v) => TrySetElf(e, "elf.header.type", v), - "file.elf.header.version" => static (e, v) => TrySetElf(e, "elf.header.version", v), - "FileElfHeaderVersion" => static (e, v) => TrySetElf(e, "elf.header.version", v), - "file.elf.import_hash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), - "FileElfImportHash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), - "file.elf.imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), - "FileElfImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), - "file.elf.imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), - "FileElfImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), - "file.elf.telfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), - "FileElfTelfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), - "file.macho.go_import_hash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), - "FileMachoGoImportHash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), - "file.macho.go_imports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), - "FileMachoGoImports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), - "file.macho.go_imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), - "FileMachoGoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), - "file.macho.go_imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), - "FileMachoGoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), - "file.macho.go_stripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), - "FileMachoGoStripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), - "file.macho.import_hash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), - "FileMachoImportHash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), - "file.macho.imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), - "FileMachoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), - "file.macho.imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), - "FileMachoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), - "file.macho.symhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), - "FileMachoSymhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), + "file.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), + "FileHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), + "file.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), + "FileHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), + "file.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), + "FileHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), + "file.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), + "FileHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), + "file.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), + "FileHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), + "file.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), + "FileHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), + "file.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), + "FileHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), + "file.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), + "FilePeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), + "file.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), + "FilePeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), + "file.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), + "FilePeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), + "file.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), + "FilePeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), + "file.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), + "FilePeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), + "file.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), + "FilePeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), + "file.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), + "FilePeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), + "file.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "FilePeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "file.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), + "FilePeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), + "file.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), + "FilePeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), + "file.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), + "FilePeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), + "file.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), + "FilePeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), + "file.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "FilePeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "file.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), + "FilePeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), + "file.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), + "FilePePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), + "file.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), + "FilePeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), + "file.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.X509 ?? new X509(),v), + "FileX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.X509 ?? new X509(),v), + "file.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.X509 ?? new X509(),v), + "FileX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.X509 ?? new X509(),v), + "file.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.X509 ?? new X509(),v), + "FileX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.X509 ?? new X509(),v), + "file.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.X509 ?? new X509(),v), + "FileX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.X509 ?? new X509(),v), + "file.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.X509 ?? new X509(),v), + "FileX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.X509 ?? new X509(),v), + "file.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.X509 ?? new X509(),v), + "FileX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.X509 ?? new X509(),v), + "file.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.X509 ?? new X509(),v), + "FileX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.X509 ?? new X509(),v), + "file.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.X509 ?? new X509(),v), + "FileX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.X509 ?? new X509(),v), + "file.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.X509 ?? new X509(),v), + "FileX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.X509 ?? new X509(),v), + "file.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.X509 ?? new X509(),v), + "FileX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.X509 ?? new X509(),v), + "file.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.X509 ?? new X509(),v), + "FileX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.X509 ?? new X509(),v), + "file.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), + "FileCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), + "file.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), + "FileCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), + "file.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), + "FileCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), + "file.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), + "FileCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), + "file.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), + "FileCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), + "file.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), + "FileCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), + "file.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), + "FileCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), + "file.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), + "FileCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), + "file.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), + "FileCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), + "file.elf.architecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ?? new Elf(),v), + "FileElfArchitecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ?? new Elf(),v), + "file.elf.byte_order" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ?? new Elf(),v), + "FileElfByteOrder" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ?? new Elf(),v), + "file.elf.cpu_type" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ?? new Elf(),v), + "FileElfCpuType" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ?? new Elf(),v), + "file.elf.creation_date" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ?? new Elf(),v), + "FileElfCreationDate" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ?? new Elf(),v), + "file.elf.go_import_hash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ?? new Elf(),v), + "FileElfGoImportHash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ?? new Elf(),v), + "file.elf.go_imports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ?? new Elf(),v), + "FileElfGoImports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ?? new Elf(),v), + "file.elf.go_imports_names_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ?? new Elf(),v), + "FileElfGoImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ?? new Elf(),v), + "file.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ?? new Elf(),v), + "FileElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ?? new Elf(),v), + "file.elf.go_stripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ?? new Elf(),v), + "FileElfGoStripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ?? new Elf(),v), + "file.elf.header.abi_version" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ?? new Elf(),v), + "FileElfHeaderAbiVersion" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ?? new Elf(),v), + "file.elf.header.class" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ?? new Elf(),v), + "FileElfHeaderClass" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ?? new Elf(),v), + "file.elf.header.data" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ?? new Elf(),v), + "FileElfHeaderData" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ?? new Elf(),v), + "file.elf.header.entrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ?? new Elf(),v), + "FileElfHeaderEntrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ?? new Elf(),v), + "file.elf.header.object_version" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ?? new Elf(),v), + "FileElfHeaderObjectVersion" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ?? new Elf(),v), + "file.elf.header.os_abi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ?? new Elf(),v), + "FileElfHeaderOsAbi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ?? new Elf(),v), + "file.elf.header.type" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ?? new Elf(),v), + "FileElfHeaderType" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ?? new Elf(),v), + "file.elf.header.version" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ?? new Elf(),v), + "FileElfHeaderVersion" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ?? new Elf(),v), + "file.elf.import_hash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ?? new Elf(),v), + "FileElfImportHash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ?? new Elf(),v), + "file.elf.imports_names_entropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ?? new Elf(),v), + "FileElfImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ?? new Elf(),v), + "file.elf.imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ?? new Elf(),v), + "FileElfImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ?? new Elf(),v), + "file.elf.telfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ?? new Elf(),v), + "FileElfTelfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ?? new Elf(),v), + "file.macho.go_import_hash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ?? new Macho(),v), + "FileMachoGoImportHash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ?? new Macho(),v), + "file.macho.go_imports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ?? new Macho(),v), + "FileMachoGoImports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ?? new Macho(),v), + "file.macho.go_imports_names_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ?? new Macho(),v), + "FileMachoGoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ?? new Macho(),v), + "file.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ?? new Macho(),v), + "FileMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ?? new Macho(),v), + "file.macho.go_stripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ?? new Macho(),v), + "FileMachoGoStripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ?? new Macho(),v), + "file.macho.import_hash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ?? new Macho(),v), + "FileMachoImportHash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ?? new Macho(),v), + "file.macho.imports_names_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ?? new Macho(),v), + "FileMachoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ?? new Macho(),v), + "file.macho.imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ?? new Macho(),v), + "FileMachoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ?? new Macho(),v), + "file.macho.symhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ?? new Macho(),v), + "FileMachoSymhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ?? new Macho(),v), _ => null }; + return assign; + } + public static bool TrySetFile(EcsDocument document, string path, object value) + { + var assign = TryAssignFile(path); if (assign == null) return false; var entity = document.File ?? new File(); @@ -3955,121 +4151,223 @@ public static bool TrySetFile(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetHost(EcsDocument document, string path, object value) + public static Func TryAssignGeo(string path) { - Func assign = path switch + Func assign = path switch { - "host.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "HostArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "host.boot.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.BootId = p), - "HostBootId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.BootId = p), - "host.cpu.usage" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CpuUsage = p), - "HostCpuUsage" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CpuUsage = p), - "host.disk.read.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.DiskReadBytes = p), - "HostDiskReadBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.DiskReadBytes = p), - "host.disk.write.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.DiskWriteBytes = p), - "HostDiskWriteBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.DiskWriteBytes = p), - "host.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "HostDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "host.hostname" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hostname = p), - "HostHostname" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hostname = p), - "host.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "HostId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "host.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "HostName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "host.network.egress.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkEgressBytes = p), - "HostNetworkEgressBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkEgressBytes = p), - "host.network.egress.packets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkEgressPackets = p), - "HostNetworkEgressPackets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkEgressPackets = p), - "host.network.ingress.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkIngressBytes = p), - "HostNetworkIngressBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkIngressBytes = p), - "host.network.ingress.packets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkIngressPackets = p), - "HostNetworkIngressPackets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkIngressPackets = p), - "host.pid_ns_ino" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PidNsIno = p), - "HostPidNsIno" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PidNsIno = p), - "host.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "HostType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "host.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "HostUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "host.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "HostGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "host.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "HostGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "host.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "HostGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "host.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "HostGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "host.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "HostGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "host.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), - "HostGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), - "host.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "HostGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "host.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "HostGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "host.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "HostGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "host.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "HostGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "host.os.family" => static (e, v) => TrySetOs(e, "os.family", v), - "HostOsFamily" => static (e, v) => TrySetOs(e, "os.family", v), - "host.os.full" => static (e, v) => TrySetOs(e, "os.full", v), - "HostOsFull" => static (e, v) => TrySetOs(e, "os.full", v), - "host.os.kernel" => static (e, v) => TrySetOs(e, "os.kernel", v), - "HostOsKernel" => static (e, v) => TrySetOs(e, "os.kernel", v), - "host.os.name" => static (e, v) => TrySetOs(e, "os.name", v), - "HostOsName" => static (e, v) => TrySetOs(e, "os.name", v), - "host.os.platform" => static (e, v) => TrySetOs(e, "os.platform", v), - "HostOsPlatform" => static (e, v) => TrySetOs(e, "os.platform", v), - "host.os.type" => static (e, v) => TrySetOs(e, "os.type", v), - "HostOsType" => static (e, v) => TrySetOs(e, "os.type", v), - "host.os.version" => static (e, v) => TrySetOs(e, "os.version", v), - "HostOsVersion" => static (e, v) => TrySetOs(e, "os.version", v), - "host.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "HostRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "host.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "HostRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "host.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "HostRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "host.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "HostRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "host.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "HostRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "host.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), - "HostRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), + "geo.city_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), + "GeoCityName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), + "geo.continent_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), + "GeoContinentCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), + "geo.continent_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), + "GeoContinentName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), + "geo.country_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), + "GeoCountryIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), + "geo.country_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), + "GeoCountryName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), + "geo.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "GeoName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "geo.postal_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), + "GeoPostalCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), + "geo.region_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), + "GeoRegionIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), + "geo.region_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), + "GeoRegionName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), + "geo.timezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), + "GeoTimezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), _ => null }; + return assign; + } + public static bool TrySetGeo(IGeo document, string path, object value) + { + var assign = TryAssignGeo(path); if (assign == null) return false; - var entity = document.Host ?? new Host(); + var entity = document.Geo ?? new Geo(); var assigned = assign(entity, value); - if (assigned) document.Host = entity; + if (assigned) document.Geo = entity; return assigned; } - public static bool TrySetHttp(EcsDocument document, string path, object value) + public static Func TryAssignGroup(string path) { - Func assign = path switch + Func assign = path switch { - "http.request.body.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.RequestBodyBytes = p), - "HttpRequestBodyBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.RequestBodyBytes = p), - "http.request.body.content" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestBodyContent = p), - "HttpRequestBodyContent" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestBodyContent = p), - "http.request.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.RequestBytes = p), - "HttpRequestBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.RequestBytes = p), - "http.request.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestId = p), - "HttpRequestId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestId = p), - "http.request.method" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestMethod = p), - "HttpRequestMethod" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestMethod = p), - "http.request.mime_type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestMimeType = p), - "HttpRequestMimeType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestMimeType = p), - "http.request.referrer" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestReferrer = p), - "HttpRequestReferrer" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestReferrer = p), - "http.response.body.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ResponseBodyBytes = p), - "HttpResponseBodyBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ResponseBodyBytes = p), - "http.response.body.content" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ResponseBodyContent = p), - "HttpResponseBodyContent" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ResponseBodyContent = p), - "http.response.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ResponseBytes = p), + "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + return assign; + } + public static bool TrySetGroup(IGroup document, string path, object value) + { + var assign = TryAssignGroup(path); + if (assign == null) return false; + + var entity = document.Group ?? new Group(); + var assigned = assign(entity, value); + if (assigned) document.Group = entity; + return assigned; + } + + public static Func TryAssignHash(string path) + { + Func assign = path switch + { + "hash.md5" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Md5 = p), + "HashMd5" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Md5 = p), + "hash.sha1" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha1 = p), + "HashSha1" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha1 = p), + "hash.sha256" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha256 = p), + "HashSha256" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha256 = p), + "hash.sha384" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha384 = p), + "HashSha384" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha384 = p), + "hash.sha512" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha512 = p), + "HashSha512" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha512 = p), + "hash.ssdeep" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ssdeep = p), + "HashSsdeep" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ssdeep = p), + "hash.tlsh" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Tlsh = p), + "HashTlsh" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Tlsh = p), + _ => null + }; + return assign; + } + public static bool TrySetHash(IHash document, string path, object value) + { + var assign = TryAssignHash(path); + if (assign == null) return false; + + var entity = document.Hash ?? new Hash(); + var assigned = assign(entity, value); + if (assigned) document.Hash = entity; + return assigned; + } + + public static Func TryAssignHost(string path) + { + Func assign = path switch + { + "host.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "HostArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "host.boot.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.BootId = p), + "HostBootId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.BootId = p), + "host.cpu.usage" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CpuUsage = p), + "HostCpuUsage" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CpuUsage = p), + "host.disk.read.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.DiskReadBytes = p), + "HostDiskReadBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.DiskReadBytes = p), + "host.disk.write.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.DiskWriteBytes = p), + "HostDiskWriteBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.DiskWriteBytes = p), + "host.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "HostDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "host.hostname" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hostname = p), + "HostHostname" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hostname = p), + "host.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "HostId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "host.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "HostName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "host.network.egress.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkEgressBytes = p), + "HostNetworkEgressBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkEgressBytes = p), + "host.network.egress.packets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkEgressPackets = p), + "HostNetworkEgressPackets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkEgressPackets = p), + "host.network.ingress.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkIngressBytes = p), + "HostNetworkIngressBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkIngressBytes = p), + "host.network.ingress.packets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkIngressPackets = p), + "HostNetworkIngressPackets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NetworkIngressPackets = p), + "host.pid_ns_ino" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PidNsIno = p), + "HostPidNsIno" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PidNsIno = p), + "host.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "HostType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "host.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "HostUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "host.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "HostGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "host.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "HostGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "host.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "HostGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "host.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "HostGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "host.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "HostGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "host.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "HostGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "host.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "HostGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "host.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "HostGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "host.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "HostGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "host.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "HostGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "host.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), + "HostOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), + "host.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), + "HostOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), + "host.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), + "HostOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), + "host.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), + "HostOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), + "host.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), + "HostOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), + "host.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), + "HostOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), + "host.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), + "HostOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), + "host.risk.calculated_level" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ?? new Risk(),v), + "HostRiskCalculatedLevel" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ?? new Risk(),v), + "host.risk.calculated_score" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ?? new Risk(),v), + "HostRiskCalculatedScore" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ?? new Risk(),v), + "host.risk.calculated_score_norm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ?? new Risk(),v), + "HostRiskCalculatedScoreNorm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ?? new Risk(),v), + "host.risk.static_level" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ?? new Risk(),v), + "HostRiskStaticLevel" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ?? new Risk(),v), + "host.risk.static_score" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ?? new Risk(),v), + "HostRiskStaticScore" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ?? new Risk(),v), + "host.risk.static_score_norm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ?? new Risk(),v), + "HostRiskStaticScoreNorm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ?? new Risk(),v), + _ => null + }; + return assign; + } + public static bool TrySetHost(EcsDocument document, string path, object value) + { + var assign = TryAssignHost(path); + if (assign == null) return false; + + var entity = document.Host ?? new Host(); + var assigned = assign(entity, value); + if (assigned) document.Host = entity; + return assigned; + } + + public static Func TryAssignHttp(string path) + { + Func assign = path switch + { + "http.request.body.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.RequestBodyBytes = p), + "HttpRequestBodyBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.RequestBodyBytes = p), + "http.request.body.content" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestBodyContent = p), + "HttpRequestBodyContent" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestBodyContent = p), + "http.request.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.RequestBytes = p), + "HttpRequestBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.RequestBytes = p), + "http.request.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestId = p), + "HttpRequestId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestId = p), + "http.request.method" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestMethod = p), + "HttpRequestMethod" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestMethod = p), + "http.request.mime_type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestMimeType = p), + "HttpRequestMimeType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestMimeType = p), + "http.request.referrer" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestReferrer = p), + "HttpRequestReferrer" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RequestReferrer = p), + "http.response.body.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ResponseBodyBytes = p), + "HttpResponseBodyBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ResponseBodyBytes = p), + "http.response.body.content" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ResponseBodyContent = p), + "HttpResponseBodyContent" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ResponseBodyContent = p), + "http.response.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ResponseBytes = p), "HttpResponseBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ResponseBytes = p), "http.response.mime_type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ResponseMimeType = p), "HttpResponseMimeType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ResponseMimeType = p), @@ -4079,6 +4377,11 @@ public static bool TrySetHttp(EcsDocument document, string path, object value) "HttpVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetHttp(EcsDocument document, string path, object value) + { + var assign = TryAssignHttp(path); if (assign == null) return false; var entity = document.Http ?? new Http(); @@ -4087,7 +4390,7 @@ public static bool TrySetHttp(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetInterface(EcsDocument document, string path, object value) + public static Func TryAssignInterface(string path) { Func assign = path switch { @@ -4099,6 +4402,11 @@ public static bool TrySetInterface(EcsDocument document, string path, object val "InterfaceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), _ => null }; + return assign; + } + public static bool TrySetInterface(EcsDocument document, string path, object value) + { + var assign = TryAssignInterface(path); if (assign == null) return false; var entity = document.Interface ?? new Interface(); @@ -4107,7 +4415,7 @@ public static bool TrySetInterface(EcsDocument document, string path, object val return assigned; } - public static bool TrySetLog(EcsDocument document, string path, object value) + public static Func TryAssignLog(string path) { Func assign = path switch { @@ -4125,6 +4433,11 @@ public static bool TrySetLog(EcsDocument document, string path, object value) "LogOriginFunction" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginFunction = p), _ => null }; + return assign; + } + public static bool TrySetLog(EcsDocument document, string path, object value) + { + var assign = TryAssignLog(path); if (assign == null) return false; var entity = document.Log ?? new Log(); @@ -4133,7 +4446,44 @@ public static bool TrySetLog(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetNetwork(EcsDocument document, string path, object value) + public static Func TryAssignMacho(string path) + { + Func assign = path switch + { + "macho.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "MachoGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "macho.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "MachoGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "macho.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "MachoGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "macho.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "MachoGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "macho.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "MachoGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "macho.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "MachoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "macho.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "MachoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "macho.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "MachoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "macho.symhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Symhash = p), + "MachoSymhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Symhash = p), + _ => null + }; + return assign; + } + public static bool TrySetMacho(IMacho document, string path, object value) + { + var assign = TryAssignMacho(path); + if (assign == null) return false; + + var entity = document.Macho ?? new Macho(); + var assigned = assign(entity, value); + if (assigned) document.Macho = entity; + return assigned; + } + + public static Func TryAssignNetwork(string path) { Func assign = path switch { @@ -4159,12 +4509,17 @@ public static bool TrySetNetwork(EcsDocument document, string path, object value "NetworkTransport" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Transport = p), "network.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "NetworkType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "network.vlan.id" => static (e, v) => TrySetVlan(e, "vlan.id", v), - "NetworkVlanId" => static (e, v) => TrySetVlan(e, "vlan.id", v), - "network.vlan.name" => static (e, v) => TrySetVlan(e, "vlan.name", v), - "NetworkVlanName" => static (e, v) => TrySetVlan(e, "vlan.name", v), + "network.vlan.id" => static (e, v) => TryAssignVlan("vlan.id")(e.Vlan ?? new Vlan(),v), + "NetworkVlanId" => static (e, v) => TryAssignVlan("vlan.id")(e.Vlan ?? new Vlan(),v), + "network.vlan.name" => static (e, v) => TryAssignVlan("vlan.name")(e.Vlan ?? new Vlan(),v), + "NetworkVlanName" => static (e, v) => TryAssignVlan("vlan.name")(e.Vlan ?? new Vlan(),v), _ => null }; + return assign; + } + public static bool TrySetNetwork(EcsDocument document, string path, object value) + { + var assign = TryAssignNetwork(path); if (assign == null) return false; var entity = document.Network ?? new Network(); @@ -4173,7 +4528,7 @@ public static bool TrySetNetwork(EcsDocument document, string path, object value return assigned; } - public static bool TrySetObserver(EcsDocument document, string path, object value) + public static Func TryAssignObserver(string path) { Func assign = path switch { @@ -4191,42 +4546,47 @@ public static bool TrySetObserver(EcsDocument document, string path, object valu "ObserverVendor" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Vendor = p), "observer.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "ObserverVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "observer.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "ObserverGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "observer.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "ObserverGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "observer.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "ObserverGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "observer.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "ObserverGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "observer.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "ObserverGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "observer.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), - "ObserverGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), - "observer.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "ObserverGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "observer.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "ObserverGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "observer.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "ObserverGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "observer.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "ObserverGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "observer.os.family" => static (e, v) => TrySetOs(e, "os.family", v), - "ObserverOsFamily" => static (e, v) => TrySetOs(e, "os.family", v), - "observer.os.full" => static (e, v) => TrySetOs(e, "os.full", v), - "ObserverOsFull" => static (e, v) => TrySetOs(e, "os.full", v), - "observer.os.kernel" => static (e, v) => TrySetOs(e, "os.kernel", v), - "ObserverOsKernel" => static (e, v) => TrySetOs(e, "os.kernel", v), - "observer.os.name" => static (e, v) => TrySetOs(e, "os.name", v), - "ObserverOsName" => static (e, v) => TrySetOs(e, "os.name", v), - "observer.os.platform" => static (e, v) => TrySetOs(e, "os.platform", v), - "ObserverOsPlatform" => static (e, v) => TrySetOs(e, "os.platform", v), - "observer.os.type" => static (e, v) => TrySetOs(e, "os.type", v), - "ObserverOsType" => static (e, v) => TrySetOs(e, "os.type", v), - "observer.os.version" => static (e, v) => TrySetOs(e, "os.version", v), - "ObserverOsVersion" => static (e, v) => TrySetOs(e, "os.version", v), + "observer.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "ObserverGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "observer.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "ObserverGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "observer.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "ObserverGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "observer.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "ObserverGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "observer.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "ObserverGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "observer.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "ObserverGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "observer.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "ObserverGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "observer.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "ObserverGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "observer.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "ObserverGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "observer.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "ObserverGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "observer.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), + "ObserverOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), + "observer.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), + "ObserverOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), + "observer.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), + "ObserverOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), + "observer.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), + "ObserverOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), + "observer.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), + "ObserverOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), + "observer.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), + "ObserverOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), + "observer.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), + "ObserverOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), _ => null }; + return assign; + } + public static bool TrySetObserver(EcsDocument document, string path, object value) + { + var assign = TryAssignObserver(path); if (assign == null) return false; var entity = document.Observer ?? new Observer(); @@ -4235,7 +4595,7 @@ public static bool TrySetObserver(EcsDocument document, string path, object valu return assigned; } - public static bool TrySetOrchestrator(EcsDocument document, string path, object value) + public static Func TryAssignOrchestrator(string path) { Func assign = path switch { @@ -4265,6 +4625,11 @@ public static bool TrySetOrchestrator(EcsDocument document, string path, object "OrchestratorType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), _ => null }; + return assign; + } + public static bool TrySetOrchestrator(EcsDocument document, string path, object value) + { + var assign = TryAssignOrchestrator(path); if (assign == null) return false; var entity = document.Orchestrator ?? new Orchestrator(); @@ -4273,7 +4638,7 @@ public static bool TrySetOrchestrator(EcsDocument document, string path, object return assigned; } - public static bool TrySetOrganization(EcsDocument document, string path, object value) + public static Func TryAssignOrganization(string path) { Func assign = path switch { @@ -4283,6 +4648,11 @@ public static bool TrySetOrganization(EcsDocument document, string path, object "OrganizationName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), _ => null }; + return assign; + } + public static bool TrySetOrganization(EcsDocument document, string path, object value) + { + var assign = TryAssignOrganization(path); if (assign == null) return false; var entity = document.Organization ?? new Organization(); @@ -4291,7 +4661,40 @@ public static bool TrySetOrganization(EcsDocument document, string path, object return assigned; } - public static bool TrySetPackage(EcsDocument document, string path, object value) + public static Func TryAssignOs(string path) + { + Func assign = path switch + { + "os.family" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Family = p), + "OsFamily" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Family = p), + "os.full" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), + "OsFull" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), + "os.kernel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Kernel = p), + "OsKernel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Kernel = p), + "os.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "OsName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "os.platform" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Platform = p), + "OsPlatform" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Platform = p), + "os.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "OsType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "os.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "OsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + _ => null + }; + return assign; + } + public static bool TrySetOs(IOs document, string path, object value) + { + var assign = TryAssignOs(path); + if (assign == null) return false; + + var entity = document.Os ?? new Os(); + var assigned = assign(entity, value); + if (assigned) document.Os = entity; + return assigned; + } + + public static Func TryAssignPackage(string path) { Func assign = path switch { @@ -4323,6 +4726,11 @@ public static bool TrySetPackage(EcsDocument document, string path, object value "PackageVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetPackage(EcsDocument document, string path, object value) + { + var assign = TryAssignPackage(path); if (assign == null) return false; var entity = document.Package ?? new Package(); @@ -4331,521 +4739,577 @@ public static bool TrySetPackage(EcsDocument document, string path, object value return assigned; } - public static bool TrySetProcess(EcsDocument document, string path, object value) + public static Func TryAssignPe(string path) { - Func assign = path switch + Func assign = path switch { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "process.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "ProcessGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "process.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), - "ProcessGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), - "process.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), - "ProcessGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), - "process.hash.md5" => static (e, v) => TrySetHash(e, "hash.md5", v), - "ProcessHashMd5" => static (e, v) => TrySetHash(e, "hash.md5", v), - "process.hash.sha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), - "ProcessHashSha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), - "process.hash.sha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), - "ProcessHashSha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), - "process.hash.sha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), - "ProcessHashSha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), - "process.hash.sha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), - "ProcessHashSha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), - "process.hash.ssdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), - "ProcessHashSsdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), - "process.hash.tlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), - "ProcessHashTlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), - "process.pe.architecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), - "ProcessPeArchitecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), - "process.pe.company" => static (e, v) => TrySetPe(e, "pe.company", v), - "ProcessPeCompany" => static (e, v) => TrySetPe(e, "pe.company", v), - "process.pe.description" => static (e, v) => TrySetPe(e, "pe.description", v), - "ProcessPeDescription" => static (e, v) => TrySetPe(e, "pe.description", v), - "process.pe.file_version" => static (e, v) => TrySetPe(e, "pe.file_version", v), - "ProcessPeFileVersion" => static (e, v) => TrySetPe(e, "pe.file_version", v), - "process.pe.go_import_hash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), - "ProcessPeGoImportHash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), - "process.pe.go_imports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), - "ProcessPeGoImports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), - "process.pe.go_imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), - "ProcessPeGoImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), - "process.pe.go_imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), - "ProcessPeGoImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), - "process.pe.go_stripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), - "ProcessPeGoStripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), - "process.pe.imphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), - "ProcessPeImphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), - "process.pe.import_hash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), - "ProcessPeImportHash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), - "process.pe.imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), - "ProcessPeImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), - "process.pe.imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), - "ProcessPeImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), - "process.pe.original_file_name" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), - "ProcessPeOriginalFileName" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), - "process.pe.pehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), - "ProcessPePehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), - "process.pe.product" => static (e, v) => TrySetPe(e, "pe.product", v), - "ProcessPeProduct" => static (e, v) => TrySetPe(e, "pe.product", v), - "process.code_signature.digest_algorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), - "ProcessCodeSignatureDigestAlgorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), - "process.code_signature.exists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), - "ProcessCodeSignatureExists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), - "process.code_signature.signing_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), - "ProcessCodeSignatureSigningId" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), - "process.code_signature.status" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), - "ProcessCodeSignatureStatus" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), - "process.code_signature.subject_name" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), - "ProcessCodeSignatureSubjectName" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), - "process.code_signature.team_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), - "ProcessCodeSignatureTeamId" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), - "process.code_signature.timestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), - "ProcessCodeSignatureTimestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), - "process.code_signature.trusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), - "ProcessCodeSignatureTrusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), - "process.code_signature.valid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), - "ProcessCodeSignatureValid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), - "process.elf.architecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), - "ProcessElfArchitecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), - "process.elf.byte_order" => static (e, v) => TrySetElf(e, "elf.byte_order", v), - "ProcessElfByteOrder" => static (e, v) => TrySetElf(e, "elf.byte_order", v), - "process.elf.cpu_type" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), - "ProcessElfCpuType" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), - "process.elf.creation_date" => static (e, v) => TrySetElf(e, "elf.creation_date", v), - "ProcessElfCreationDate" => static (e, v) => TrySetElf(e, "elf.creation_date", v), - "process.elf.go_import_hash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), - "ProcessElfGoImportHash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), - "process.elf.go_imports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), - "ProcessElfGoImports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), - "process.elf.go_imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), - "ProcessElfGoImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), - "process.elf.go_imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), - "ProcessElfGoImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), - "process.elf.go_stripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), - "ProcessElfGoStripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), - "process.elf.header.abi_version" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), - "ProcessElfHeaderAbiVersion" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), - "process.elf.header.class" => static (e, v) => TrySetElf(e, "elf.header.class", v), - "ProcessElfHeaderClass" => static (e, v) => TrySetElf(e, "elf.header.class", v), - "process.elf.header.data" => static (e, v) => TrySetElf(e, "elf.header.data", v), - "ProcessElfHeaderData" => static (e, v) => TrySetElf(e, "elf.header.data", v), - "process.elf.header.entrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), - "ProcessElfHeaderEntrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), - "process.elf.header.object_version" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), - "ProcessElfHeaderObjectVersion" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), - "process.elf.header.os_abi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), - "ProcessElfHeaderOsAbi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), - "process.elf.header.type" => static (e, v) => TrySetElf(e, "elf.header.type", v), - "ProcessElfHeaderType" => static (e, v) => TrySetElf(e, "elf.header.type", v), - "process.elf.header.version" => static (e, v) => TrySetElf(e, "elf.header.version", v), - "ProcessElfHeaderVersion" => static (e, v) => TrySetElf(e, "elf.header.version", v), - "process.elf.import_hash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), - "ProcessElfImportHash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), - "process.elf.imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), - "ProcessElfImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), - "process.elf.imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), - "ProcessElfImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), - "process.elf.telfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), - "ProcessElfTelfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), - "process.macho.go_import_hash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), - "ProcessMachoGoImportHash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), - "process.macho.go_imports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), - "ProcessMachoGoImports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), - "process.macho.go_imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), - "ProcessMachoGoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), - "process.macho.go_imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), - "ProcessMachoGoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), - "process.macho.go_stripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), - "ProcessMachoGoStripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), - "process.macho.import_hash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), - "ProcessMachoImportHash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), - "process.macho.imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), - "ProcessMachoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), - "process.macho.imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), - "ProcessMachoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), - "process.macho.symhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), - "ProcessMachoSymhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), - "process.source.address" => static (e, v) => TrySetSource(e, "source.address", v), - "ProcessSourceAddress" => static (e, v) => TrySetSource(e, "source.address", v), - "process.source.bytes" => static (e, v) => TrySetSource(e, "source.bytes", v), - "ProcessSourceBytes" => static (e, v) => TrySetSource(e, "source.bytes", v), - "process.source.domain" => static (e, v) => TrySetSource(e, "source.domain", v), - "ProcessSourceDomain" => static (e, v) => TrySetSource(e, "source.domain", v), - "process.source.ip" => static (e, v) => TrySetSource(e, "source.ip", v), - "ProcessSourceIp" => static (e, v) => TrySetSource(e, "source.ip", v), - "process.source.mac" => static (e, v) => TrySetSource(e, "source.mac", v), - "ProcessSourceMac" => static (e, v) => TrySetSource(e, "source.mac", v), - "process.source.nat.ip" => static (e, v) => TrySetSource(e, "source.nat.ip", v), - "ProcessSourceNatIp" => static (e, v) => TrySetSource(e, "source.nat.ip", v), - "process.source.nat.port" => static (e, v) => TrySetSource(e, "source.nat.port", v), - "ProcessSourceNatPort" => static (e, v) => TrySetSource(e, "source.nat.port", v), - "process.source.packets" => static (e, v) => TrySetSource(e, "source.packets", v), - "ProcessSourcePackets" => static (e, v) => TrySetSource(e, "source.packets", v), - "process.source.port" => static (e, v) => TrySetSource(e, "source.port", v), - "ProcessSourcePort" => static (e, v) => TrySetSource(e, "source.port", v), - "process.source.registered_domain" => static (e, v) => TrySetSource(e, "source.registered_domain", v), - "ProcessSourceRegisteredDomain" => static (e, v) => TrySetSource(e, "source.registered_domain", v), - "process.source.subdomain" => static (e, v) => TrySetSource(e, "source.subdomain", v), - "ProcessSourceSubdomain" => static (e, v) => TrySetSource(e, "source.subdomain", v), - "process.source.top_level_domain" => static (e, v) => TrySetSource(e, "source.top_level_domain", v), - "ProcessSourceTopLevelDomain" => static (e, v) => TrySetSource(e, "source.top_level_domain", v), - "process.source.as.number" => static (e, v) => TrySetSource(e, "source.as.number", v), - "ProcessSourceAsNumber" => static (e, v) => TrySetSource(e, "source.as.number", v), - "process.source.as.organization.name" => static (e, v) => TrySetSource(e, "source.as.organization.name", v), - "ProcessSourceAsOrganizationName" => static (e, v) => TrySetSource(e, "source.as.organization.name", v), - "process.source.geo.city_name" => static (e, v) => TrySetSource(e, "source.geo.city_name", v), - "ProcessSourceGeoCityName" => static (e, v) => TrySetSource(e, "source.geo.city_name", v), - "process.source.geo.continent_code" => static (e, v) => TrySetSource(e, "source.geo.continent_code", v), - "ProcessSourceGeoContinentCode" => static (e, v) => TrySetSource(e, "source.geo.continent_code", v), - "process.source.geo.continent_name" => static (e, v) => TrySetSource(e, "source.geo.continent_name", v), - "ProcessSourceGeoContinentName" => static (e, v) => TrySetSource(e, "source.geo.continent_name", v), - "process.source.geo.country_iso_code" => static (e, v) => TrySetSource(e, "source.geo.country_iso_code", v), - "ProcessSourceGeoCountryIsoCode" => static (e, v) => TrySetSource(e, "source.geo.country_iso_code", v), - "process.source.geo.country_name" => static (e, v) => TrySetSource(e, "source.geo.country_name", v), - "ProcessSourceGeoCountryName" => static (e, v) => TrySetSource(e, "source.geo.country_name", v), - "process.source.geo.name" => static (e, v) => TrySetSource(e, "source.geo.name", v), - "ProcessSourceGeoName" => static (e, v) => TrySetSource(e, "source.geo.name", v), - "process.source.geo.postal_code" => static (e, v) => TrySetSource(e, "source.geo.postal_code", v), - "ProcessSourceGeoPostalCode" => static (e, v) => TrySetSource(e, "source.geo.postal_code", v), - "process.source.geo.region_iso_code" => static (e, v) => TrySetSource(e, "source.geo.region_iso_code", v), - "ProcessSourceGeoRegionIsoCode" => static (e, v) => TrySetSource(e, "source.geo.region_iso_code", v), - "process.source.geo.region_name" => static (e, v) => TrySetSource(e, "source.geo.region_name", v), - "ProcessSourceGeoRegionName" => static (e, v) => TrySetSource(e, "source.geo.region_name", v), - "process.source.geo.timezone" => static (e, v) => TrySetSource(e, "source.geo.timezone", v), - "ProcessSourceGeoTimezone" => static (e, v) => TrySetSource(e, "source.geo.timezone", v), - "process.source.user.domain" => static (e, v) => TrySetSource(e, "source.user.domain", v), - "ProcessSourceUserDomain" => static (e, v) => TrySetSource(e, "source.user.domain", v), - "process.source.user.email" => static (e, v) => TrySetSource(e, "source.user.email", v), - "ProcessSourceUserEmail" => static (e, v) => TrySetSource(e, "source.user.email", v), - "process.source.user.full_name" => static (e, v) => TrySetSource(e, "source.user.full_name", v), - "ProcessSourceUserFullName" => static (e, v) => TrySetSource(e, "source.user.full_name", v), - "process.source.user.hash" => static (e, v) => TrySetSource(e, "source.user.hash", v), - "ProcessSourceUserHash" => static (e, v) => TrySetSource(e, "source.user.hash", v), - "process.source.user.id" => static (e, v) => TrySetSource(e, "source.user.id", v), - "ProcessSourceUserId" => static (e, v) => TrySetSource(e, "source.user.id", v), - "process.source.user.name" => static (e, v) => TrySetSource(e, "source.user.name", v), - "ProcessSourceUserName" => static (e, v) => TrySetSource(e, "source.user.name", v), - "process.source.user.group.domain" => static (e, v) => TrySetSource(e, "source.user.group.domain", v), - "ProcessSourceUserGroupDomain" => static (e, v) => TrySetSource(e, "source.user.group.domain", v), - "process.source.user.group.id" => static (e, v) => TrySetSource(e, "source.user.group.id", v), - "ProcessSourceUserGroupId" => static (e, v) => TrySetSource(e, "source.user.group.id", v), - "process.source.user.group.name" => static (e, v) => TrySetSource(e, "source.user.group.name", v), - "ProcessSourceUserGroupName" => static (e, v) => TrySetSource(e, "source.user.group.name", v), - "process.source.user.risk.calculated_level" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_level", v), - "ProcessSourceUserRiskCalculatedLevel" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_level", v), - "process.source.user.risk.calculated_score" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_score", v), - "ProcessSourceUserRiskCalculatedScore" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_score", v), - "process.source.user.risk.calculated_score_norm" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_score_norm", v), - "ProcessSourceUserRiskCalculatedScoreNorm" => static (e, v) => TrySetSource(e, "source.user.risk.calculated_score_norm", v), - "process.source.user.risk.static_level" => static (e, v) => TrySetSource(e, "source.user.risk.static_level", v), - "ProcessSourceUserRiskStaticLevel" => static (e, v) => TrySetSource(e, "source.user.risk.static_level", v), - "process.source.user.risk.static_score" => static (e, v) => TrySetSource(e, "source.user.risk.static_score", v), - "ProcessSourceUserRiskStaticScore" => static (e, v) => TrySetSource(e, "source.user.risk.static_score", v), - "process.source.user.risk.static_score_norm" => static (e, v) => TrySetSource(e, "source.user.risk.static_score_norm", v), - "ProcessSourceUserRiskStaticScoreNorm" => static (e, v) => TrySetSource(e, "source.user.risk.static_score_norm", v), - "process.source.user.user.domain" => static (e, v) => TrySetSource(e, "source.user.user.domain", v), - "ProcessSourceUserUserDomain" => static (e, v) => TrySetSource(e, "source.user.user.domain", v), - "process.source.user.user.email" => static (e, v) => TrySetSource(e, "source.user.user.email", v), - "ProcessSourceUserUserEmail" => static (e, v) => TrySetSource(e, "source.user.user.email", v), - "process.source.user.user.full_name" => static (e, v) => TrySetSource(e, "source.user.user.full_name", v), - "ProcessSourceUserUserFullName" => static (e, v) => TrySetSource(e, "source.user.user.full_name", v), - "process.source.user.user.hash" => static (e, v) => TrySetSource(e, "source.user.user.hash", v), - "ProcessSourceUserUserHash" => static (e, v) => TrySetSource(e, "source.user.user.hash", v), - "process.source.user.user.id" => static (e, v) => TrySetSource(e, "source.user.user.id", v), - "ProcessSourceUserUserId" => static (e, v) => TrySetSource(e, "source.user.user.id", v), - "process.source.user.user.name" => static (e, v) => TrySetSource(e, "source.user.user.name", v), - "ProcessSourceUserUserName" => static (e, v) => TrySetSource(e, "source.user.user.name", v), - "process.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), - "ProcessUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), - "process.user.email" => static (e, v) => TrySetUser(e, "user.email", v), - "ProcessUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), - "process.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), - "ProcessUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), - "process.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), - "ProcessUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), - "process.user.id" => static (e, v) => TrySetUser(e, "user.id", v), - "ProcessUserId" => static (e, v) => TrySetUser(e, "user.id", v), - "process.user.name" => static (e, v) => TrySetUser(e, "user.name", v), - "ProcessUserName" => static (e, v) => TrySetUser(e, "user.name", v), - "process.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "ProcessUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "process.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), - "ProcessUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), - "process.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), - "ProcessUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), - "process.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "ProcessUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "process.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "ProcessUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "process.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "ProcessUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "process.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "ProcessUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "process.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "ProcessUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "process.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "ProcessUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "process.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "ProcessUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "process.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), - "ProcessUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), - "process.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "ProcessUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "process.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "ProcessUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "process.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), - "ProcessUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), - "process.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), - "ProcessUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), - "process.process.args_count" => static (e, v) => TrySetProcessParent(e, "process.args_count", v), - "ProcessProcessArgsCount" => static (e, v) => TrySetProcessParent(e, "process.args_count", v), - "process.process.command_line" => static (e, v) => TrySetProcessParent(e, "process.command_line", v), - "ProcessProcessCommandLine" => static (e, v) => TrySetProcessParent(e, "process.command_line", v), - "process.process.end" => static (e, v) => TrySetProcessParent(e, "process.end", v), - "ProcessProcessEnd" => static (e, v) => TrySetProcessParent(e, "process.end", v), - "process.process.entity_id" => static (e, v) => TrySetProcessParent(e, "process.entity_id", v), - "ProcessProcessEntityId" => static (e, v) => TrySetProcessParent(e, "process.entity_id", v), - "process.process.executable" => static (e, v) => TrySetProcessParent(e, "process.executable", v), - "ProcessProcessExecutable" => static (e, v) => TrySetProcessParent(e, "process.executable", v), - "process.process.exit_code" => static (e, v) => TrySetProcessParent(e, "process.exit_code", v), - "ProcessProcessExitCode" => static (e, v) => TrySetProcessParent(e, "process.exit_code", v), - "process.process.interactive" => static (e, v) => TrySetProcessParent(e, "process.interactive", v), - "ProcessProcessInteractive" => static (e, v) => TrySetProcessParent(e, "process.interactive", v), - "process.process.name" => static (e, v) => TrySetProcessParent(e, "process.name", v), - "ProcessProcessName" => static (e, v) => TrySetProcessParent(e, "process.name", v), - "process.process.pgid" => static (e, v) => TrySetProcessParent(e, "process.pgid", v), - "ProcessProcessPgid" => static (e, v) => TrySetProcessParent(e, "process.pgid", v), - "process.process.pid" => static (e, v) => TrySetProcessParent(e, "process.pid", v), - "ProcessProcessPid" => static (e, v) => TrySetProcessParent(e, "process.pid", v), - "process.process.start" => static (e, v) => TrySetProcessParent(e, "process.start", v), - "ProcessProcessStart" => static (e, v) => TrySetProcessParent(e, "process.start", v), - "process.process.thread.id" => static (e, v) => TrySetProcessParent(e, "process.thread.id", v), - "ProcessProcessThreadId" => static (e, v) => TrySetProcessParent(e, "process.thread.id", v), - "process.process.thread.name" => static (e, v) => TrySetProcessParent(e, "process.thread.name", v), - "ProcessProcessThreadName" => static (e, v) => TrySetProcessParent(e, "process.thread.name", v), - "process.process.title" => static (e, v) => TrySetProcessParent(e, "process.title", v), - "ProcessProcessTitle" => static (e, v) => TrySetProcessParent(e, "process.title", v), - "process.process.uptime" => static (e, v) => TrySetProcessParent(e, "process.uptime", v), - "ProcessProcessUptime" => static (e, v) => TrySetProcessParent(e, "process.uptime", v), - "process.process.vpid" => static (e, v) => TrySetProcessParent(e, "process.vpid", v), - "ProcessProcessVpid" => static (e, v) => TrySetProcessParent(e, "process.vpid", v), - "process.process.working_directory" => static (e, v) => TrySetProcessParent(e, "process.working_directory", v), - "ProcessProcessWorkingDirectory" => static (e, v) => TrySetProcessParent(e, "process.working_directory", v), - "process.process.parent.process.args_count" => static (e, v) => TrySetProcessParent(e, "process.parent.process.args_count", v), - "ProcessProcessParentProcessArgsCount" => static (e, v) => TrySetProcessParent(e, "process.parent.process.args_count", v), - "process.process.parent.process.command_line" => static (e, v) => TrySetProcessParent(e, "process.parent.process.command_line", v), - "ProcessProcessParentProcessCommandLine" => static (e, v) => TrySetProcessParent(e, "process.parent.process.command_line", v), - "process.process.parent.process.end" => static (e, v) => TrySetProcessParent(e, "process.parent.process.end", v), - "ProcessProcessParentProcessEnd" => static (e, v) => TrySetProcessParent(e, "process.parent.process.end", v), - "process.process.parent.process.entity_id" => static (e, v) => TrySetProcessParent(e, "process.parent.process.entity_id", v), - "ProcessProcessParentProcessEntityId" => static (e, v) => TrySetProcessParent(e, "process.parent.process.entity_id", v), - "process.process.parent.process.executable" => static (e, v) => TrySetProcessParent(e, "process.parent.process.executable", v), - "ProcessProcessParentProcessExecutable" => static (e, v) => TrySetProcessParent(e, "process.parent.process.executable", v), - "process.process.parent.process.exit_code" => static (e, v) => TrySetProcessParent(e, "process.parent.process.exit_code", v), - "ProcessProcessParentProcessExitCode" => static (e, v) => TrySetProcessParent(e, "process.parent.process.exit_code", v), - "process.process.parent.process.interactive" => static (e, v) => TrySetProcessParent(e, "process.parent.process.interactive", v), - "ProcessProcessParentProcessInteractive" => static (e, v) => TrySetProcessParent(e, "process.parent.process.interactive", v), - "process.process.parent.process.name" => static (e, v) => TrySetProcessParent(e, "process.parent.process.name", v), - "ProcessProcessParentProcessName" => static (e, v) => TrySetProcessParent(e, "process.parent.process.name", v), - "process.process.parent.process.pgid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.pgid", v), - "ProcessProcessParentProcessPgid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.pgid", v), - "process.process.parent.process.pid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.pid", v), - "ProcessProcessParentProcessPid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.pid", v), - "process.process.parent.process.start" => static (e, v) => TrySetProcessParent(e, "process.parent.process.start", v), - "ProcessProcessParentProcessStart" => static (e, v) => TrySetProcessParent(e, "process.parent.process.start", v), - "process.process.parent.process.thread.id" => static (e, v) => TrySetProcessParent(e, "process.parent.process.thread.id", v), - "ProcessProcessParentProcessThreadId" => static (e, v) => TrySetProcessParent(e, "process.parent.process.thread.id", v), - "process.process.parent.process.thread.name" => static (e, v) => TrySetProcessParent(e, "process.parent.process.thread.name", v), - "ProcessProcessParentProcessThreadName" => static (e, v) => TrySetProcessParent(e, "process.parent.process.thread.name", v), - "process.process.parent.process.title" => static (e, v) => TrySetProcessParent(e, "process.parent.process.title", v), - "ProcessProcessParentProcessTitle" => static (e, v) => TrySetProcessParent(e, "process.parent.process.title", v), - "process.process.parent.process.uptime" => static (e, v) => TrySetProcessParent(e, "process.parent.process.uptime", v), - "ProcessProcessParentProcessUptime" => static (e, v) => TrySetProcessParent(e, "process.parent.process.uptime", v), - "process.process.parent.process.vpid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.vpid", v), - "ProcessProcessParentProcessVpid" => static (e, v) => TrySetProcessParent(e, "process.parent.process.vpid", v), - "process.process.parent.process.working_directory" => static (e, v) => TrySetProcessParent(e, "process.parent.process.working_directory", v), - "ProcessProcessParentProcessWorkingDirectory" => static (e, v) => TrySetProcessParent(e, "process.parent.process.working_directory", v), - "process.process.entry_leader.process.args_count" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.args_count", v), - "ProcessProcessEntryLeaderProcessArgsCount" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.args_count", v), - "process.process.entry_leader.process.command_line" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.command_line", v), - "ProcessProcessEntryLeaderProcessCommandLine" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.command_line", v), - "process.process.entry_leader.process.end" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.end", v), - "ProcessProcessEntryLeaderProcessEnd" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.end", v), - "process.process.entry_leader.process.entity_id" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entity_id", v), - "ProcessProcessEntryLeaderProcessEntityId" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entity_id", v), - "process.process.entry_leader.process.executable" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.executable", v), - "ProcessProcessEntryLeaderProcessExecutable" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.executable", v), - "process.process.entry_leader.process.exit_code" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.exit_code", v), - "ProcessProcessEntryLeaderProcessExitCode" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.exit_code", v), - "process.process.entry_leader.process.interactive" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.interactive", v), - "ProcessProcessEntryLeaderProcessInteractive" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.interactive", v), - "process.process.entry_leader.process.name" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.name", v), - "ProcessProcessEntryLeaderProcessName" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.name", v), - "process.process.entry_leader.process.pgid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.pgid", v), - "ProcessProcessEntryLeaderProcessPgid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.pgid", v), - "process.process.entry_leader.process.pid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.pid", v), - "ProcessProcessEntryLeaderProcessPid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.pid", v), - "process.process.entry_leader.process.start" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.start", v), - "ProcessProcessEntryLeaderProcessStart" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.start", v), - "process.process.entry_leader.process.thread.id" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.thread.id", v), - "ProcessProcessEntryLeaderProcessThreadId" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.thread.id", v), - "process.process.entry_leader.process.thread.name" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.thread.name", v), - "ProcessProcessEntryLeaderProcessThreadName" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.thread.name", v), - "process.process.entry_leader.process.title" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.title", v), - "ProcessProcessEntryLeaderProcessTitle" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.title", v), - "process.process.entry_leader.process.uptime" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.uptime", v), - "ProcessProcessEntryLeaderProcessUptime" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.uptime", v), - "process.process.entry_leader.process.vpid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.vpid", v), - "ProcessProcessEntryLeaderProcessVpid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.vpid", v), - "process.process.entry_leader.process.working_directory" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.working_directory", v), - "ProcessProcessEntryLeaderProcessWorkingDirectory" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.working_directory", v), - "process.process.entry_leader.process.entry_leader.parent.process.args_count" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.args_count", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.args_count", v), - "process.process.entry_leader.process.entry_leader.parent.process.command_line" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.command_line", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.command_line", v), - "process.process.entry_leader.process.entry_leader.parent.process.end" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.end", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEnd" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.end", v), - "process.process.entry_leader.process.entry_leader.parent.process.entity_id" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.entity_id", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessEntityId" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.entity_id", v), - "process.process.entry_leader.process.entry_leader.parent.process.executable" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.executable", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExecutable" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.executable", v), - "process.process.entry_leader.process.entry_leader.parent.process.exit_code" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.exit_code", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessExitCode" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.exit_code", v), - "process.process.entry_leader.process.entry_leader.parent.process.interactive" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.interactive", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessInteractive" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.interactive", v), - "process.process.entry_leader.process.entry_leader.parent.process.name" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.name", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessName" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.name", v), - "process.process.entry_leader.process.entry_leader.parent.process.pgid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.pgid", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPgid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.pgid", v), - "process.process.entry_leader.process.entry_leader.parent.process.pid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.pid", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessPid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.pid", v), - "process.process.entry_leader.process.entry_leader.parent.process.start" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.start", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessStart" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.start", v), - "process.process.entry_leader.process.entry_leader.parent.process.thread.id" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.thread.id", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadId" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.thread.id", v), - "process.process.entry_leader.process.entry_leader.parent.process.thread.name" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.thread.name", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessThreadName" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.thread.name", v), - "process.process.entry_leader.process.entry_leader.parent.process.title" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.title", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessTitle" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.title", v), - "process.process.entry_leader.process.entry_leader.parent.process.uptime" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.uptime", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessUptime" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.uptime", v), - "process.process.entry_leader.process.entry_leader.parent.process.vpid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.vpid", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessVpid" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.vpid", v), - "process.process.entry_leader.process.entry_leader.parent.process.working_directory" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.working_directory", v), - "ProcessProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory" => static (e, v) => TrySetProcessEntryLeader(e, "process.entry_leader.process.entry_leader.parent.process.working_directory", v), - "process.process.session_leader.process.args_count" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.args_count", v), - "ProcessProcessSessionLeaderProcessArgsCount" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.args_count", v), - "process.process.session_leader.process.command_line" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.command_line", v), - "ProcessProcessSessionLeaderProcessCommandLine" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.command_line", v), - "process.process.session_leader.process.end" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.end", v), - "ProcessProcessSessionLeaderProcessEnd" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.end", v), - "process.process.session_leader.process.entity_id" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.entity_id", v), - "ProcessProcessSessionLeaderProcessEntityId" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.entity_id", v), - "process.process.session_leader.process.executable" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.executable", v), - "ProcessProcessSessionLeaderProcessExecutable" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.executable", v), - "process.process.session_leader.process.exit_code" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.exit_code", v), - "ProcessProcessSessionLeaderProcessExitCode" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.exit_code", v), - "process.process.session_leader.process.interactive" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.interactive", v), - "ProcessProcessSessionLeaderProcessInteractive" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.interactive", v), - "process.process.session_leader.process.name" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.name", v), - "ProcessProcessSessionLeaderProcessName" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.name", v), - "process.process.session_leader.process.pgid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.pgid", v), - "ProcessProcessSessionLeaderProcessPgid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.pgid", v), - "process.process.session_leader.process.pid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.pid", v), - "ProcessProcessSessionLeaderProcessPid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.pid", v), - "process.process.session_leader.process.start" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.start", v), - "ProcessProcessSessionLeaderProcessStart" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.start", v), - "process.process.session_leader.process.thread.id" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.thread.id", v), - "ProcessProcessSessionLeaderProcessThreadId" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.thread.id", v), - "process.process.session_leader.process.thread.name" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.thread.name", v), - "ProcessProcessSessionLeaderProcessThreadName" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.thread.name", v), - "process.process.session_leader.process.title" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.title", v), - "ProcessProcessSessionLeaderProcessTitle" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.title", v), - "process.process.session_leader.process.uptime" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.uptime", v), - "ProcessProcessSessionLeaderProcessUptime" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.uptime", v), - "process.process.session_leader.process.vpid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.vpid", v), - "ProcessProcessSessionLeaderProcessVpid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.vpid", v), - "process.process.session_leader.process.working_directory" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.working_directory", v), - "ProcessProcessSessionLeaderProcessWorkingDirectory" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.working_directory", v), - "process.process.session_leader.process.session_leader.parent.process.args_count" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.args_count", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.args_count", v), - "process.process.session_leader.process.session_leader.parent.process.command_line" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.command_line", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.command_line", v), - "process.process.session_leader.process.session_leader.parent.process.end" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.end", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEnd" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.end", v), - "process.process.session_leader.process.session_leader.parent.process.entity_id" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.entity_id", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessEntityId" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.entity_id", v), - "process.process.session_leader.process.session_leader.parent.process.executable" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.executable", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExecutable" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.executable", v), - "process.process.session_leader.process.session_leader.parent.process.exit_code" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.exit_code", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessExitCode" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.exit_code", v), - "process.process.session_leader.process.session_leader.parent.process.interactive" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.interactive", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessInteractive" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.interactive", v), - "process.process.session_leader.process.session_leader.parent.process.name" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.name", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessName" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.name", v), - "process.process.session_leader.process.session_leader.parent.process.pgid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.pgid", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPgid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.pgid", v), - "process.process.session_leader.process.session_leader.parent.process.pid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.pid", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessPid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.pid", v), - "process.process.session_leader.process.session_leader.parent.process.start" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.start", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessStart" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.start", v), - "process.process.session_leader.process.session_leader.parent.process.thread.id" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.thread.id", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadId" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.thread.id", v), - "process.process.session_leader.process.session_leader.parent.process.thread.name" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.thread.name", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessThreadName" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.thread.name", v), - "process.process.session_leader.process.session_leader.parent.process.title" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.title", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessTitle" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.title", v), - "process.process.session_leader.process.session_leader.parent.process.uptime" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.uptime", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessUptime" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.uptime", v), - "process.process.session_leader.process.session_leader.parent.process.vpid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.vpid", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessVpid" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.vpid", v), - "process.process.session_leader.process.session_leader.parent.process.working_directory" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.working_directory", v), - "ProcessProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory" => static (e, v) => TrySetProcessSessionLeader(e, "process.session_leader.process.session_leader.parent.process.working_directory", v), - _ => null - }; - if (assign == null) return false; - - var entity = document.Process ?? new Process(); + "pe.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "PeArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), + "pe.company" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Company = p), + "PeCompany" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Company = p), + "pe.description" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Description = p), + "PeDescription" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Description = p), + "pe.file_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FileVersion = p), + "PeFileVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FileVersion = p), + "pe.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "PeGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), + "pe.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "PeGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), + "pe.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "PeGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), + "pe.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "PeGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), + "pe.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "PeGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), + "pe.imphash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Imphash = p), + "PeImphash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Imphash = p), + "pe.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "PeImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), + "pe.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "PeImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), + "pe.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "PeImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), + "pe.original_file_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginalFileName = p), + "PeOriginalFileName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginalFileName = p), + "pe.pehash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Pehash = p), + "PePehash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Pehash = p), + "pe.product" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Product = p), + "PeProduct" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Product = p), + _ => null + }; + return assign; + } + public static bool TrySetPe(IPe document, string path, object value) + { + var assign = TryAssignPe(path); + if (assign == null) return false; + + var entity = document.Pe ?? new Pe(); + var assigned = assign(entity, value); + if (assigned) document.Pe = entity; + return assigned; + } + + public static Func TryAssignProcess(string path) + { + Func assign = path switch + { + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "process.group.domain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ?? new Group(),v), + "ProcessGroupDomain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ?? new Group(),v), + "process.group.id" => static (e, v) => TryAssignGroup("group.id")(e.Group ?? new Group(),v), + "ProcessGroupId" => static (e, v) => TryAssignGroup("group.id")(e.Group ?? new Group(),v), + "process.group.name" => static (e, v) => TryAssignGroup("group.name")(e.Group ?? new Group(),v), + "ProcessGroupName" => static (e, v) => TryAssignGroup("group.name")(e.Group ?? new Group(),v), + "process.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), + "ProcessHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), + "process.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), + "ProcessHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), + "process.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), + "ProcessHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), + "process.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), + "ProcessHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), + "process.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), + "ProcessHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), + "process.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), + "ProcessHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), + "process.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), + "ProcessHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), + "process.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), + "ProcessPeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), + "process.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), + "ProcessPeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), + "process.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), + "ProcessPeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), + "process.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), + "ProcessPeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), + "process.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), + "ProcessPeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), + "process.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), + "ProcessPeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), + "process.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), + "ProcessPeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), + "process.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "ProcessPeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "process.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), + "ProcessPeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), + "process.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), + "ProcessPeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), + "process.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), + "ProcessPeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), + "process.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), + "ProcessPeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), + "process.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "ProcessPeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), + "process.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), + "ProcessPeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), + "process.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), + "ProcessPePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), + "process.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), + "ProcessPeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), + "process.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), + "ProcessCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), + "process.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), + "ProcessCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), + "process.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), + "ProcessCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), + "process.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), + "ProcessCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), + "process.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), + "ProcessCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), + "process.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), + "ProcessCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), + "process.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), + "ProcessCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), + "process.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), + "ProcessCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), + "process.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), + "ProcessCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), + "process.elf.architecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ?? new Elf(),v), + "ProcessElfArchitecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ?? new Elf(),v), + "process.elf.byte_order" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ?? new Elf(),v), + "ProcessElfByteOrder" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ?? new Elf(),v), + "process.elf.cpu_type" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ?? new Elf(),v), + "ProcessElfCpuType" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ?? new Elf(),v), + "process.elf.creation_date" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ?? new Elf(),v), + "ProcessElfCreationDate" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ?? new Elf(),v), + "process.elf.go_import_hash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ?? new Elf(),v), + "ProcessElfGoImportHash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ?? new Elf(),v), + "process.elf.go_imports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ?? new Elf(),v), + "ProcessElfGoImports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ?? new Elf(),v), + "process.elf.go_imports_names_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ?? new Elf(),v), + "ProcessElfGoImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ?? new Elf(),v), + "process.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ?? new Elf(),v), + "ProcessElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ?? new Elf(),v), + "process.elf.go_stripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ?? new Elf(),v), + "ProcessElfGoStripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ?? new Elf(),v), + "process.elf.header.abi_version" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ?? new Elf(),v), + "ProcessElfHeaderAbiVersion" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ?? new Elf(),v), + "process.elf.header.class" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ?? new Elf(),v), + "ProcessElfHeaderClass" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ?? new Elf(),v), + "process.elf.header.data" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ?? new Elf(),v), + "ProcessElfHeaderData" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ?? new Elf(),v), + "process.elf.header.entrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ?? new Elf(),v), + "ProcessElfHeaderEntrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ?? new Elf(),v), + "process.elf.header.object_version" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ?? new Elf(),v), + "ProcessElfHeaderObjectVersion" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ?? new Elf(),v), + "process.elf.header.os_abi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ?? new Elf(),v), + "ProcessElfHeaderOsAbi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ?? new Elf(),v), + "process.elf.header.type" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ?? new Elf(),v), + "ProcessElfHeaderType" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ?? new Elf(),v), + "process.elf.header.version" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ?? new Elf(),v), + "ProcessElfHeaderVersion" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ?? new Elf(),v), + "process.elf.import_hash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ?? new Elf(),v), + "ProcessElfImportHash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ?? new Elf(),v), + "process.elf.imports_names_entropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ?? new Elf(),v), + "ProcessElfImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ?? new Elf(),v), + "process.elf.imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ?? new Elf(),v), + "ProcessElfImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ?? new Elf(),v), + "process.elf.telfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ?? new Elf(),v), + "ProcessElfTelfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ?? new Elf(),v), + "process.macho.go_import_hash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ?? new Macho(),v), + "ProcessMachoGoImportHash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ?? new Macho(),v), + "process.macho.go_imports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ?? new Macho(),v), + "ProcessMachoGoImports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ?? new Macho(),v), + "process.macho.go_imports_names_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ?? new Macho(),v), + "ProcessMachoGoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ?? new Macho(),v), + "process.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ?? new Macho(),v), + "ProcessMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ?? new Macho(),v), + "process.macho.go_stripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ?? new Macho(),v), + "ProcessMachoGoStripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ?? new Macho(),v), + "process.macho.import_hash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ?? new Macho(),v), + "ProcessMachoImportHash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ?? new Macho(),v), + "process.macho.imports_names_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ?? new Macho(),v), + "ProcessMachoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ?? new Macho(),v), + "process.macho.imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ?? new Macho(),v), + "ProcessMachoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ?? new Macho(),v), + "process.macho.symhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ?? new Macho(),v), + "ProcessMachoSymhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ?? new Macho(),v), + "process.entry_meta.source.address" => static (e, v) => TryAssignSource("source.address")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceAddress" => static (e, v) => TryAssignSource("source.address")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.bytes" => static (e, v) => TryAssignSource("source.bytes")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceBytes" => static (e, v) => TryAssignSource("source.bytes")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.domain" => static (e, v) => TryAssignSource("source.domain")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceDomain" => static (e, v) => TryAssignSource("source.domain")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.ip" => static (e, v) => TryAssignSource("source.ip")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceIp" => static (e, v) => TryAssignSource("source.ip")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.mac" => static (e, v) => TryAssignSource("source.mac")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceMac" => static (e, v) => TryAssignSource("source.mac")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.nat.ip" => static (e, v) => TryAssignSource("source.nat.ip")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceNatIp" => static (e, v) => TryAssignSource("source.nat.ip")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.nat.port" => static (e, v) => TryAssignSource("source.nat.port")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceNatPort" => static (e, v) => TryAssignSource("source.nat.port")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.packets" => static (e, v) => TryAssignSource("source.packets")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourcePackets" => static (e, v) => TryAssignSource("source.packets")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.port" => static (e, v) => TryAssignSource("source.port")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourcePort" => static (e, v) => TryAssignSource("source.port")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.registered_domain" => static (e, v) => TryAssignSource("source.registered_domain")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceRegisteredDomain" => static (e, v) => TryAssignSource("source.registered_domain")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.subdomain" => static (e, v) => TryAssignSource("source.subdomain")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceSubdomain" => static (e, v) => TryAssignSource("source.subdomain")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.top_level_domain" => static (e, v) => TryAssignSource("source.top_level_domain")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceTopLevelDomain" => static (e, v) => TryAssignSource("source.top_level_domain")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.as.number" => static (e, v) => TryAssignSource("source.as.number")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceAsNumber" => static (e, v) => TryAssignSource("source.as.number")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.as.organization.name" => static (e, v) => TryAssignSource("source.as.organization.name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceAsOrganizationName" => static (e, v) => TryAssignSource("source.as.organization.name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.city_name" => static (e, v) => TryAssignSource("source.geo.city_name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoCityName" => static (e, v) => TryAssignSource("source.geo.city_name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.continent_code" => static (e, v) => TryAssignSource("source.geo.continent_code")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoContinentCode" => static (e, v) => TryAssignSource("source.geo.continent_code")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.continent_name" => static (e, v) => TryAssignSource("source.geo.continent_name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoContinentName" => static (e, v) => TryAssignSource("source.geo.continent_name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.country_iso_code" => static (e, v) => TryAssignSource("source.geo.country_iso_code")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoCountryIsoCode" => static (e, v) => TryAssignSource("source.geo.country_iso_code")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.country_name" => static (e, v) => TryAssignSource("source.geo.country_name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoCountryName" => static (e, v) => TryAssignSource("source.geo.country_name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.name" => static (e, v) => TryAssignSource("source.geo.name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoName" => static (e, v) => TryAssignSource("source.geo.name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.postal_code" => static (e, v) => TryAssignSource("source.geo.postal_code")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoPostalCode" => static (e, v) => TryAssignSource("source.geo.postal_code")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.region_iso_code" => static (e, v) => TryAssignSource("source.geo.region_iso_code")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoRegionIsoCode" => static (e, v) => TryAssignSource("source.geo.region_iso_code")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.region_name" => static (e, v) => TryAssignSource("source.geo.region_name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoRegionName" => static (e, v) => TryAssignSource("source.geo.region_name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.geo.timezone" => static (e, v) => TryAssignSource("source.geo.timezone")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceGeoTimezone" => static (e, v) => TryAssignSource("source.geo.timezone")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.domain" => static (e, v) => TryAssignSource("source.user.domain")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserDomain" => static (e, v) => TryAssignSource("source.user.domain")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.email" => static (e, v) => TryAssignSource("source.user.email")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserEmail" => static (e, v) => TryAssignSource("source.user.email")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.full_name" => static (e, v) => TryAssignSource("source.user.full_name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserFullName" => static (e, v) => TryAssignSource("source.user.full_name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.hash" => static (e, v) => TryAssignSource("source.user.hash")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserHash" => static (e, v) => TryAssignSource("source.user.hash")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.id" => static (e, v) => TryAssignSource("source.user.id")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserId" => static (e, v) => TryAssignSource("source.user.id")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.name" => static (e, v) => TryAssignSource("source.user.name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserName" => static (e, v) => TryAssignSource("source.user.name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.group.domain" => static (e, v) => TryAssignSource("source.user.group.domain")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserGroupDomain" => static (e, v) => TryAssignSource("source.user.group.domain")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.group.id" => static (e, v) => TryAssignSource("source.user.group.id")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserGroupId" => static (e, v) => TryAssignSource("source.user.group.id")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.group.name" => static (e, v) => TryAssignSource("source.user.group.name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserGroupName" => static (e, v) => TryAssignSource("source.user.group.name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.risk.calculated_level" => static (e, v) => TryAssignSource("source.user.risk.calculated_level")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserRiskCalculatedLevel" => static (e, v) => TryAssignSource("source.user.risk.calculated_level")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.risk.calculated_score" => static (e, v) => TryAssignSource("source.user.risk.calculated_score")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserRiskCalculatedScore" => static (e, v) => TryAssignSource("source.user.risk.calculated_score")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.risk.calculated_score_norm" => static (e, v) => TryAssignSource("source.user.risk.calculated_score_norm")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignSource("source.user.risk.calculated_score_norm")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.risk.static_level" => static (e, v) => TryAssignSource("source.user.risk.static_level")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserRiskStaticLevel" => static (e, v) => TryAssignSource("source.user.risk.static_level")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.risk.static_score" => static (e, v) => TryAssignSource("source.user.risk.static_score")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserRiskStaticScore" => static (e, v) => TryAssignSource("source.user.risk.static_score")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.risk.static_score_norm" => static (e, v) => TryAssignSource("source.user.risk.static_score_norm")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserRiskStaticScoreNorm" => static (e, v) => TryAssignSource("source.user.risk.static_score_norm")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.target.user.domain" => static (e, v) => TryAssignSource("source.user.target.user.domain")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserTargetUserDomain" => static (e, v) => TryAssignSource("source.user.target.user.domain")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.target.user.email" => static (e, v) => TryAssignSource("source.user.target.user.email")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserTargetUserEmail" => static (e, v) => TryAssignSource("source.user.target.user.email")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.target.user.full_name" => static (e, v) => TryAssignSource("source.user.target.user.full_name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserTargetUserFullName" => static (e, v) => TryAssignSource("source.user.target.user.full_name")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.target.user.hash" => static (e, v) => TryAssignSource("source.user.target.user.hash")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserTargetUserHash" => static (e, v) => TryAssignSource("source.user.target.user.hash")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.target.user.id" => static (e, v) => TryAssignSource("source.user.target.user.id")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserTargetUserId" => static (e, v) => TryAssignSource("source.user.target.user.id")(e.EntryMetaSource ?? new Source(),v), + "process.entry_meta.source.user.target.user.name" => static (e, v) => TryAssignSource("source.user.target.user.name")(e.EntryMetaSource ?? new Source(),v), + "ProcessEntryMetaSourceUserTargetUserName" => static (e, v) => TryAssignSource("source.user.target.user.name")(e.EntryMetaSource ?? new Source(),v), + "process.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "ProcessUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "process.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "ProcessUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "process.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "ProcessUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "process.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "ProcessUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "process.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "ProcessUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "process.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "ProcessUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "process.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "ProcessUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "process.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "ProcessUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "process.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "ProcessUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "process.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "ProcessUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "process.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "ProcessUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "process.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "ProcessUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "process.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "ProcessUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "process.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "ProcessUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "process.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "ProcessUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "process.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "ProcessUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "process.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "ProcessUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "process.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "ProcessUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "process.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "ProcessUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "process.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "ProcessUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "process.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "ProcessUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "parent.process.args_count" => static (e, v) => TryAssignProcessParent("process.args_count")(e.Parent ?? new ProcessParent(),v), + "ParentProcessArgsCount" => static (e, v) => TryAssignProcessParent("process.args_count")(e.Parent ?? new ProcessParent(),v), + "parent.process.command_line" => static (e, v) => TryAssignProcessParent("process.command_line")(e.Parent ?? new ProcessParent(),v), + "ParentProcessCommandLine" => static (e, v) => TryAssignProcessParent("process.command_line")(e.Parent ?? new ProcessParent(),v), + "parent.process.end" => static (e, v) => TryAssignProcessParent("process.end")(e.Parent ?? new ProcessParent(),v), + "ParentProcessEnd" => static (e, v) => TryAssignProcessParent("process.end")(e.Parent ?? new ProcessParent(),v), + "parent.process.entity_id" => static (e, v) => TryAssignProcessParent("process.entity_id")(e.Parent ?? new ProcessParent(),v), + "ParentProcessEntityId" => static (e, v) => TryAssignProcessParent("process.entity_id")(e.Parent ?? new ProcessParent(),v), + "parent.process.executable" => static (e, v) => TryAssignProcessParent("process.executable")(e.Parent ?? new ProcessParent(),v), + "ParentProcessExecutable" => static (e, v) => TryAssignProcessParent("process.executable")(e.Parent ?? new ProcessParent(),v), + "parent.process.exit_code" => static (e, v) => TryAssignProcessParent("process.exit_code")(e.Parent ?? new ProcessParent(),v), + "ParentProcessExitCode" => static (e, v) => TryAssignProcessParent("process.exit_code")(e.Parent ?? new ProcessParent(),v), + "parent.process.interactive" => static (e, v) => TryAssignProcessParent("process.interactive")(e.Parent ?? new ProcessParent(),v), + "ParentProcessInteractive" => static (e, v) => TryAssignProcessParent("process.interactive")(e.Parent ?? new ProcessParent(),v), + "parent.process.name" => static (e, v) => TryAssignProcessParent("process.name")(e.Parent ?? new ProcessParent(),v), + "ParentProcessName" => static (e, v) => TryAssignProcessParent("process.name")(e.Parent ?? new ProcessParent(),v), + "parent.process.pgid" => static (e, v) => TryAssignProcessParent("process.pgid")(e.Parent ?? new ProcessParent(),v), + "ParentProcessPgid" => static (e, v) => TryAssignProcessParent("process.pgid")(e.Parent ?? new ProcessParent(),v), + "parent.process.pid" => static (e, v) => TryAssignProcessParent("process.pid")(e.Parent ?? new ProcessParent(),v), + "ParentProcessPid" => static (e, v) => TryAssignProcessParent("process.pid")(e.Parent ?? new ProcessParent(),v), + "parent.process.start" => static (e, v) => TryAssignProcessParent("process.start")(e.Parent ?? new ProcessParent(),v), + "ParentProcessStart" => static (e, v) => TryAssignProcessParent("process.start")(e.Parent ?? new ProcessParent(),v), + "parent.process.thread.id" => static (e, v) => TryAssignProcessParent("process.thread.id")(e.Parent ?? new ProcessParent(),v), + "ParentProcessThreadId" => static (e, v) => TryAssignProcessParent("process.thread.id")(e.Parent ?? new ProcessParent(),v), + "parent.process.thread.name" => static (e, v) => TryAssignProcessParent("process.thread.name")(e.Parent ?? new ProcessParent(),v), + "ParentProcessThreadName" => static (e, v) => TryAssignProcessParent("process.thread.name")(e.Parent ?? new ProcessParent(),v), + "parent.process.title" => static (e, v) => TryAssignProcessParent("process.title")(e.Parent ?? new ProcessParent(),v), + "ParentProcessTitle" => static (e, v) => TryAssignProcessParent("process.title")(e.Parent ?? new ProcessParent(),v), + "parent.process.uptime" => static (e, v) => TryAssignProcessParent("process.uptime")(e.Parent ?? new ProcessParent(),v), + "ParentProcessUptime" => static (e, v) => TryAssignProcessParent("process.uptime")(e.Parent ?? new ProcessParent(),v), + "parent.process.vpid" => static (e, v) => TryAssignProcessParent("process.vpid")(e.Parent ?? new ProcessParent(),v), + "ParentProcessVpid" => static (e, v) => TryAssignProcessParent("process.vpid")(e.Parent ?? new ProcessParent(),v), + "parent.process.working_directory" => static (e, v) => TryAssignProcessParent("process.working_directory")(e.Parent ?? new ProcessParent(),v), + "ParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessParent("process.working_directory")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.args_count" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.args_count")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessArgsCount" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.args_count")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.command_line" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.command_line")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessCommandLine" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.command_line")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.end" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.end")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessEnd" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.end")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.entity_id" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.entity_id")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessEntityId" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.entity_id")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.executable" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.executable")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessExecutable" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.executable")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.exit_code" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.exit_code")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessExitCode" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.exit_code")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.interactive" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.interactive")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessInteractive" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.interactive")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.name" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.name")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessName" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.name")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.pgid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.pgid")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessPgid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.pgid")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.pid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.pid")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessPid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.pid")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.start" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.start")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessStart" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.start")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.thread.id" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.thread.id")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessThreadId" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.thread.id")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.thread.name" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.thread.name")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessThreadName" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.thread.name")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.title" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.title")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessTitle" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.title")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.uptime" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.uptime")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessUptime" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.uptime")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.vpid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.vpid")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessVpid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.vpid")(e.Parent ?? new ProcessParent(),v), + "process.parent.group_leader.process.working_directory" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.working_directory")(e.Parent ?? new ProcessParent(),v), + "ProcessParentGroupLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.working_directory")(e.Parent ?? new ProcessParent(),v), + "process.entry_leader.parent.process.args_count" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.args_count")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.args_count")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.command_line" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.command_line")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.command_line")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.end" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.end")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessEnd" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.end")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.entity_id" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.entity_id")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessEntityId" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.entity_id")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.executable" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.executable")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessExecutable" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.executable")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.exit_code" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.exit_code")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessExitCode" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.exit_code")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.interactive" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.interactive")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessInteractive" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.interactive")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.name" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessName" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.pgid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.pgid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessPgid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.pgid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.pid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.pid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessPid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.pid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.start" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.start")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessStart" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.start")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.thread.id" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.thread.id")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessThreadId" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.thread.id")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.thread.name" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.thread.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessThreadName" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.thread.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.title" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.title")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessTitle" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.title")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.uptime" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.uptime")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessUptime" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.uptime")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.vpid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.vpid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessVpid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.vpid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.entry_leader.parent.process.working_directory" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.working_directory")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "ProcessEntryLeaderParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.working_directory")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.args_count")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.args_count")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.command_line")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.command_line")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.end")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.end")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.entity_id")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.entity_id")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.executable")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.executable")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.exit_code")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.exit_code")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.interactive")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.interactive")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.pgid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.pgid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.pid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.pid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.start")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.start")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.thread.id")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.thread.id")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.thread.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.thread.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.title")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.title")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.uptime")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.uptime")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.vpid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.vpid")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "entry_leader.process.parent.entry_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.working_directory")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.working_directory")(e.EntryLeader ?? new ProcessEntryLeader(),v), + "process.session_leader.parent.process.args_count" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.args_count")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.args_count")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.command_line" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.command_line")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.command_line")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.end" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.end")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessEnd" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.end")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.entity_id" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.entity_id")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessEntityId" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.entity_id")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.executable" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.executable")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessExecutable" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.executable")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.exit_code" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.exit_code")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessExitCode" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.exit_code")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.interactive" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.interactive")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessInteractive" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.interactive")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.name" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessName" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.pgid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.pgid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessPgid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.pgid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.pid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.pid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessPid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.pid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.start" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.start")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessStart" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.start")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.thread.id" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.thread.id")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessThreadId" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.thread.id")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.thread.name" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.thread.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessThreadName" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.thread.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.title" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.title")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessTitle" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.title")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.uptime" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.uptime")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessUptime" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.uptime")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.vpid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.vpid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessVpid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.vpid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.session_leader.parent.process.working_directory" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.working_directory")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "ProcessSessionLeaderParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.working_directory")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.args_count")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.args_count")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.command_line")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.command_line")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.end")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.end")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.entity_id")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.entity_id")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.executable")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.executable")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.exit_code")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.exit_code")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.interactive")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.interactive")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.pgid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.pgid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.pid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.pid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.start")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.start")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.thread.id")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.thread.id")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.thread.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.thread.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.title")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.title")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.uptime")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.uptime")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.vpid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.vpid")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "session_leader.process.parent.session_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.working_directory")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.working_directory")(e.SessionLeader ?? new ProcessSessionLeader(),v), + _ => null + }; + return assign; + } + public static bool TrySetProcess(EcsDocument document, string path, object value) + { + var assign = TryAssignProcess(path); + if (assign == null) return false; + + var entity = document.Process ?? new Process(); var assigned = assign(entity, value); if (assigned) document.Process = entity; return assigned; } - public static bool TrySetRegistry(EcsDocument document, string path, object value) + public static Func TryAssignRegistry(string path) { Func assign = path switch { @@ -4863,6 +5327,11 @@ public static bool TrySetRegistry(EcsDocument document, string path, object valu "RegistryValue" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Value = p), _ => null }; + return assign; + } + public static bool TrySetRegistry(EcsDocument document, string path, object value) + { + var assign = TryAssignRegistry(path); if (assign == null) return false; var entity = document.Registry ?? new Registry(); @@ -4871,12 +5340,17 @@ public static bool TrySetRegistry(EcsDocument document, string path, object valu return assigned; } - public static bool TrySetRelated(EcsDocument document, string path, object value) + public static Func TryAssignRelated(string path) { Func assign = path switch { _ => null }; + return assign; + } + public static bool TrySetRelated(EcsDocument document, string path, object value) + { + var assign = TryAssignRelated(path); if (assign == null) return false; var entity = document.Related ?? new Related(); @@ -4885,7 +5359,38 @@ public static bool TrySetRelated(EcsDocument document, string path, object value return assigned; } - public static bool TrySetRule(EcsDocument document, string path, object value) + public static Func TryAssignRisk(string path) + { + Func assign = path switch + { + "risk.calculated_level" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CalculatedLevel = p), + "RiskCalculatedLevel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CalculatedLevel = p), + "risk.calculated_score" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScore = p), + "RiskCalculatedScore" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScore = p), + "risk.calculated_score_norm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScoreNorm = p), + "RiskCalculatedScoreNorm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScoreNorm = p), + "risk.static_level" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.StaticLevel = p), + "RiskStaticLevel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.StaticLevel = p), + "risk.static_score" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScore = p), + "RiskStaticScore" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScore = p), + "risk.static_score_norm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScoreNorm = p), + "RiskStaticScoreNorm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScoreNorm = p), + _ => null + }; + return assign; + } + public static bool TrySetRisk(IRisk document, string path, object value) + { + var assign = TryAssignRisk(path); + if (assign == null) return false; + + var entity = document.Risk ?? new Risk(); + var assigned = assign(entity, value); + if (assigned) document.Risk = entity; + return assigned; + } + + public static Func TryAssignRule(string path) { Func assign = path switch { @@ -4909,6 +5414,11 @@ public static bool TrySetRule(EcsDocument document, string path, object value) "RuleVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetRule(EcsDocument document, string path, object value) + { + var assign = TryAssignRule(path); if (assign == null) return false; var entity = document.Rule ?? new Rule(); @@ -4917,7 +5427,7 @@ public static bool TrySetRule(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetServer(EcsDocument document, string path, object value) + public static Func TryAssignServer(string path) { Func assign = path switch { @@ -4945,74 +5455,79 @@ public static bool TrySetServer(EcsDocument document, string path, object value) "ServerSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "server.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "ServerTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "server.as.number" => static (e, v) => TrySetAs(e, "as.number", v), - "ServerAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), - "server.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "ServerAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "server.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "ServerGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "server.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "ServerGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "server.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "ServerGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "server.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "ServerGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "server.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "ServerGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "server.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), - "ServerGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), - "server.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "ServerGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "server.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "ServerGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "server.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "ServerGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "server.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "ServerGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "server.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), - "ServerUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), - "server.user.email" => static (e, v) => TrySetUser(e, "user.email", v), - "ServerUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), - "server.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), - "ServerUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), - "server.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), - "ServerUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), - "server.user.id" => static (e, v) => TrySetUser(e, "user.id", v), - "ServerUserId" => static (e, v) => TrySetUser(e, "user.id", v), - "server.user.name" => static (e, v) => TrySetUser(e, "user.name", v), - "ServerUserName" => static (e, v) => TrySetUser(e, "user.name", v), - "server.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "ServerUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "server.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), - "ServerUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), - "server.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), - "ServerUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), - "server.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "ServerUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "server.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "ServerUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "server.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "ServerUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "server.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "ServerUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "server.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "ServerUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "server.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "ServerUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "server.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "ServerUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "server.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), - "ServerUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), - "server.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "ServerUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "server.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "ServerUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "server.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), - "ServerUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), - "server.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), - "ServerUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), + "server.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), + "ServerAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), + "server.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), + "ServerAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), + "server.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "ServerGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "server.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "ServerGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "server.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "ServerGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "server.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "ServerGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "server.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "ServerGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "server.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "ServerGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "server.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "ServerGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "server.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "ServerGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "server.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "ServerGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "server.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "ServerGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "server.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "ServerUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "server.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "ServerUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "server.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "ServerUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "server.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "ServerUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "server.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "ServerUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "server.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "ServerUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "server.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "ServerUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "server.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "ServerUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "server.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "ServerUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "server.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "ServerUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "server.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "ServerUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "server.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "ServerUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "server.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "ServerUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "server.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "ServerUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "server.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "ServerUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "server.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "ServerUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "server.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "ServerUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "server.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "ServerUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "server.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "ServerUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "server.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "ServerUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "server.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "ServerUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), _ => null }; + return assign; + } + public static bool TrySetServer(EcsDocument document, string path, object value) + { + var assign = TryAssignServer(path); if (assign == null) return false; var entity = document.Server ?? new Server(); @@ -5021,7 +5536,7 @@ public static bool TrySetServer(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetService(EcsDocument document, string path, object value) + public static Func TryAssignService(string path) { Func assign = path switch { @@ -5045,28 +5560,33 @@ public static bool TrySetService(EcsDocument document, string path, object value "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "service.origin.address" => static (e, v) => TrySetService(e, "service.address", v), - "ServiceServiceAddress" => static (e, v) => TrySetServiceOrigin(e, "service.address", v), - "service.service.environment" => static (e, v) => TrySetServiceOrigin(e, "service.environment", v), - "ServiceServiceEnvironment" => static (e, v) => TrySetServiceOrigin(e, "service.environment", v), - "service.service.ephemeral_id" => static (e, v) => TrySetServiceOrigin(e, "service.ephemeral_id", v), - "ServiceServiceEphemeralId" => static (e, v) => TrySetServiceOrigin(e, "service.ephemeral_id", v), - "service.service.id" => static (e, v) => TrySetServiceOrigin(e, "service.id", v), - "ServiceServiceId" => static (e, v) => TrySetServiceOrigin(e, "service.id", v), - "service.service.name" => static (e, v) => TrySetServiceOrigin(e, "service.name", v), - "ServiceServiceName" => static (e, v) => TrySetServiceOrigin(e, "service.name", v), - "service.service.node.name" => static (e, v) => TrySetServiceOrigin(e, "service.node.name", v), - "ServiceServiceNodeName" => static (e, v) => TrySetServiceOrigin(e, "service.node.name", v), - "service.service.node.role" => static (e, v) => TrySetServiceOrigin(e, "service.node.role", v), - "ServiceServiceNodeRole" => static (e, v) => TrySetServiceOrigin(e, "service.node.role", v), - "service.service.state" => static (e, v) => TrySetServiceOrigin(e, "service.state", v), - "ServiceServiceState" => static (e, v) => TrySetServiceOrigin(e, "service.state", v), - "service.service.type" => static (e, v) => TrySetServiceOrigin(e, "service.type", v), - "ServiceServiceType" => static (e, v) => TrySetServiceOrigin(e, "service.type", v), - "service.service.version" => static (e, v) => TrySetServiceOrigin(e, "service.version", v), - "ServiceServiceVersion" => static (e, v) => TrySetServiceOrigin(e, "service.version", v), + "origin.service.address" => static (e, v) => TryAssignServiceOrigin("service.address")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceAddress" => static (e, v) => TryAssignServiceOrigin("service.address")(e.Origin ?? new ServiceOrigin(),v), + "origin.service.environment" => static (e, v) => TryAssignServiceOrigin("service.environment")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceEnvironment" => static (e, v) => TryAssignServiceOrigin("service.environment")(e.Origin ?? new ServiceOrigin(),v), + "origin.service.ephemeral_id" => static (e, v) => TryAssignServiceOrigin("service.ephemeral_id")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceEphemeralId" => static (e, v) => TryAssignServiceOrigin("service.ephemeral_id")(e.Origin ?? new ServiceOrigin(),v), + "origin.service.id" => static (e, v) => TryAssignServiceOrigin("service.id")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceId" => static (e, v) => TryAssignServiceOrigin("service.id")(e.Origin ?? new ServiceOrigin(),v), + "origin.service.name" => static (e, v) => TryAssignServiceOrigin("service.name")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceName" => static (e, v) => TryAssignServiceOrigin("service.name")(e.Origin ?? new ServiceOrigin(),v), + "origin.service.node.name" => static (e, v) => TryAssignServiceOrigin("service.node.name")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceNodeName" => static (e, v) => TryAssignServiceOrigin("service.node.name")(e.Origin ?? new ServiceOrigin(),v), + "origin.service.node.role" => static (e, v) => TryAssignServiceOrigin("service.node.role")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceNodeRole" => static (e, v) => TryAssignServiceOrigin("service.node.role")(e.Origin ?? new ServiceOrigin(),v), + "origin.service.state" => static (e, v) => TryAssignServiceOrigin("service.state")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceState" => static (e, v) => TryAssignServiceOrigin("service.state")(e.Origin ?? new ServiceOrigin(),v), + "origin.service.type" => static (e, v) => TryAssignServiceOrigin("service.type")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceType" => static (e, v) => TryAssignServiceOrigin("service.type")(e.Origin ?? new ServiceOrigin(),v), + "origin.service.version" => static (e, v) => TryAssignServiceOrigin("service.version")(e.Origin ?? new ServiceOrigin(),v), + "OriginServiceVersion" => static (e, v) => TryAssignServiceOrigin("service.version")(e.Origin ?? new ServiceOrigin(),v), _ => null }; + return assign; + } + public static bool TrySetService(EcsDocument document, string path, object value) + { + var assign = TryAssignService(path); if (assign == null) return false; var entity = document.Service ?? new Service(); @@ -5075,7 +5595,7 @@ public static bool TrySetService(EcsDocument document, string path, object value return assigned; } - public static bool TrySetSource(EcsDocument document, string path, object value) + public static Func TryAssignSource(string path) { Func assign = path switch { @@ -5103,74 +5623,79 @@ public static bool TrySetSource(EcsDocument document, string path, object value) "SourceSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "source.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "SourceTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "source.as.number" => static (e, v) => TrySetAs(e, "as.number", v), - "SourceAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), - "source.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "SourceAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "source.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "SourceGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "source.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "SourceGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "source.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "SourceGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "source.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "SourceGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "source.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "SourceGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "source.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), - "SourceGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), - "source.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "SourceGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "source.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "SourceGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "source.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "SourceGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "source.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "SourceGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "source.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), - "SourceUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), - "source.user.email" => static (e, v) => TrySetUser(e, "user.email", v), - "SourceUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), - "source.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), - "SourceUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), - "source.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), - "SourceUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), - "source.user.id" => static (e, v) => TrySetUser(e, "user.id", v), - "SourceUserId" => static (e, v) => TrySetUser(e, "user.id", v), - "source.user.name" => static (e, v) => TrySetUser(e, "user.name", v), - "SourceUserName" => static (e, v) => TrySetUser(e, "user.name", v), - "source.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "SourceUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "source.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), - "SourceUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), - "source.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), - "SourceUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), - "source.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "SourceUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "source.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "SourceUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "source.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "SourceUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "source.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "SourceUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "source.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "SourceUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "source.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "SourceUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "source.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "SourceUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "source.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), - "SourceUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), - "source.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "SourceUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "source.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "SourceUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "source.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), - "SourceUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), - "source.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), - "SourceUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), + "source.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), + "SourceAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), + "source.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), + "SourceAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), + "source.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "SourceGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), + "source.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "SourceGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), + "source.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "SourceGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), + "source.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "SourceGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), + "source.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "SourceGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), + "source.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "SourceGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), + "source.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "SourceGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), + "source.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "SourceGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), + "source.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "SourceGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), + "source.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "SourceGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), + "source.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "SourceUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), + "source.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "SourceUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), + "source.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "SourceUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), + "source.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "SourceUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), + "source.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "SourceUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), + "source.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "SourceUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), + "source.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "SourceUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), + "source.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "SourceUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), + "source.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "SourceUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), + "source.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "SourceUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), + "source.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "SourceUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), + "source.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "SourceUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), + "source.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "SourceUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), + "source.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "SourceUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), + "source.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "SourceUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), + "source.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "SourceUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), + "source.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "SourceUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), + "source.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "SourceUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), + "source.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "SourceUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), + "source.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "SourceUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), + "source.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "SourceUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), _ => null }; + return assign; + } + public static bool TrySetSource(EcsDocument document, string path, object value) + { + var assign = TryAssignSource(path); if (assign == null) return false; var entity = document.Source ?? new Source(); @@ -5179,7 +5704,7 @@ public static bool TrySetSource(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetThreat(EcsDocument document, string path, object value) + public static Func TryAssignThreat(string path) { Func assign = path switch { @@ -5239,282 +5764,287 @@ public static bool TrySetThreat(EcsDocument document, string path, object value) "ThreatSoftwareReference" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareReference = p), "threat.software.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareType = p), "ThreatSoftwareType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareType = p), - "threat.x509.issuer.distinguished_name" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), - "ThreatX509IssuerDistinguishedName" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), - "threat.x509.not_after" => static (e, v) => TrySetX509(e, "x509.not_after", v), - "ThreatX509NotAfter" => static (e, v) => TrySetX509(e, "x509.not_after", v), - "threat.x509.not_before" => static (e, v) => TrySetX509(e, "x509.not_before", v), - "ThreatX509NotBefore" => static (e, v) => TrySetX509(e, "x509.not_before", v), - "threat.x509.public_key_algorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), - "ThreatX509PublicKeyAlgorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), - "threat.x509.public_key_curve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), - "ThreatX509PublicKeyCurve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), - "threat.x509.public_key_exponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), - "ThreatX509PublicKeyExponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), - "threat.x509.public_key_size" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), - "ThreatX509PublicKeySize" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), - "threat.x509.serial_number" => static (e, v) => TrySetX509(e, "x509.serial_number", v), - "ThreatX509SerialNumber" => static (e, v) => TrySetX509(e, "x509.serial_number", v), - "threat.x509.signature_algorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), - "ThreatX509SignatureAlgorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), - "threat.x509.subject.distinguished_name" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), - "ThreatX509SubjectDistinguishedName" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), - "threat.x509.version_number" => static (e, v) => TrySetX509(e, "x509.version_number", v), - "ThreatX509VersionNumber" => static (e, v) => TrySetX509(e, "x509.version_number", v), - "threat.as.number" => static (e, v) => TrySetAs(e, "as.number", v), - "ThreatAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), - "threat.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "ThreatAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "threat.file.accessed" => static (e, v) => TrySetFile(e, "file.accessed", v), - "ThreatFileAccessed" => static (e, v) => TrySetFile(e, "file.accessed", v), - "threat.file.created" => static (e, v) => TrySetFile(e, "file.created", v), - "ThreatFileCreated" => static (e, v) => TrySetFile(e, "file.created", v), - "threat.file.ctime" => static (e, v) => TrySetFile(e, "file.ctime", v), - "ThreatFileCtime" => static (e, v) => TrySetFile(e, "file.ctime", v), - "threat.file.device" => static (e, v) => TrySetFile(e, "file.device", v), - "ThreatFileDevice" => static (e, v) => TrySetFile(e, "file.device", v), - "threat.file.directory" => static (e, v) => TrySetFile(e, "file.directory", v), - "ThreatFileDirectory" => static (e, v) => TrySetFile(e, "file.directory", v), - "threat.file.drive_letter" => static (e, v) => TrySetFile(e, "file.drive_letter", v), - "ThreatFileDriveLetter" => static (e, v) => TrySetFile(e, "file.drive_letter", v), - "threat.file.extension" => static (e, v) => TrySetFile(e, "file.extension", v), - "ThreatFileExtension" => static (e, v) => TrySetFile(e, "file.extension", v), - "threat.file.fork_name" => static (e, v) => TrySetFile(e, "file.fork_name", v), - "ThreatFileForkName" => static (e, v) => TrySetFile(e, "file.fork_name", v), - "threat.file.gid" => static (e, v) => TrySetFile(e, "file.gid", v), - "ThreatFileGid" => static (e, v) => TrySetFile(e, "file.gid", v), - "threat.file.group" => static (e, v) => TrySetFile(e, "file.group", v), - "ThreatFileGroup" => static (e, v) => TrySetFile(e, "file.group", v), - "threat.file.inode" => static (e, v) => TrySetFile(e, "file.inode", v), - "ThreatFileInode" => static (e, v) => TrySetFile(e, "file.inode", v), - "threat.file.mime_type" => static (e, v) => TrySetFile(e, "file.mime_type", v), - "ThreatFileMimeType" => static (e, v) => TrySetFile(e, "file.mime_type", v), - "threat.file.mode" => static (e, v) => TrySetFile(e, "file.mode", v), - "ThreatFileMode" => static (e, v) => TrySetFile(e, "file.mode", v), - "threat.file.mtime" => static (e, v) => TrySetFile(e, "file.mtime", v), - "ThreatFileMtime" => static (e, v) => TrySetFile(e, "file.mtime", v), - "threat.file.name" => static (e, v) => TrySetFile(e, "file.name", v), - "ThreatFileName" => static (e, v) => TrySetFile(e, "file.name", v), - "threat.file.owner" => static (e, v) => TrySetFile(e, "file.owner", v), - "ThreatFileOwner" => static (e, v) => TrySetFile(e, "file.owner", v), - "threat.file.path" => static (e, v) => TrySetFile(e, "file.path", v), - "ThreatFilePath" => static (e, v) => TrySetFile(e, "file.path", v), - "threat.file.size" => static (e, v) => TrySetFile(e, "file.size", v), - "ThreatFileSize" => static (e, v) => TrySetFile(e, "file.size", v), - "threat.file.target_path" => static (e, v) => TrySetFile(e, "file.target_path", v), - "ThreatFileTargetPath" => static (e, v) => TrySetFile(e, "file.target_path", v), - "threat.file.type" => static (e, v) => TrySetFile(e, "file.type", v), - "ThreatFileType" => static (e, v) => TrySetFile(e, "file.type", v), - "threat.file.uid" => static (e, v) => TrySetFile(e, "file.uid", v), - "ThreatFileUid" => static (e, v) => TrySetFile(e, "file.uid", v), - "threat.file.hash.md5" => static (e, v) => TrySetFile(e, "file.hash.md5", v), - "ThreatFileHashMd5" => static (e, v) => TrySetFile(e, "file.hash.md5", v), - "threat.file.hash.sha1" => static (e, v) => TrySetFile(e, "file.hash.sha1", v), - "ThreatFileHashSha1" => static (e, v) => TrySetFile(e, "file.hash.sha1", v), - "threat.file.hash.sha256" => static (e, v) => TrySetFile(e, "file.hash.sha256", v), - "ThreatFileHashSha256" => static (e, v) => TrySetFile(e, "file.hash.sha256", v), - "threat.file.hash.sha384" => static (e, v) => TrySetFile(e, "file.hash.sha384", v), - "ThreatFileHashSha384" => static (e, v) => TrySetFile(e, "file.hash.sha384", v), - "threat.file.hash.sha512" => static (e, v) => TrySetFile(e, "file.hash.sha512", v), - "ThreatFileHashSha512" => static (e, v) => TrySetFile(e, "file.hash.sha512", v), - "threat.file.hash.ssdeep" => static (e, v) => TrySetFile(e, "file.hash.ssdeep", v), - "ThreatFileHashSsdeep" => static (e, v) => TrySetFile(e, "file.hash.ssdeep", v), - "threat.file.hash.tlsh" => static (e, v) => TrySetFile(e, "file.hash.tlsh", v), - "ThreatFileHashTlsh" => static (e, v) => TrySetFile(e, "file.hash.tlsh", v), - "threat.file.pe.architecture" => static (e, v) => TrySetFile(e, "file.pe.architecture", v), - "ThreatFilePeArchitecture" => static (e, v) => TrySetFile(e, "file.pe.architecture", v), - "threat.file.pe.company" => static (e, v) => TrySetFile(e, "file.pe.company", v), - "ThreatFilePeCompany" => static (e, v) => TrySetFile(e, "file.pe.company", v), - "threat.file.pe.description" => static (e, v) => TrySetFile(e, "file.pe.description", v), - "ThreatFilePeDescription" => static (e, v) => TrySetFile(e, "file.pe.description", v), - "threat.file.pe.file_version" => static (e, v) => TrySetFile(e, "file.pe.file_version", v), - "ThreatFilePeFileVersion" => static (e, v) => TrySetFile(e, "file.pe.file_version", v), - "threat.file.pe.go_import_hash" => static (e, v) => TrySetFile(e, "file.pe.go_import_hash", v), - "ThreatFilePeGoImportHash" => static (e, v) => TrySetFile(e, "file.pe.go_import_hash", v), - "threat.file.pe.go_imports" => static (e, v) => TrySetFile(e, "file.pe.go_imports", v), - "ThreatFilePeGoImports" => static (e, v) => TrySetFile(e, "file.pe.go_imports", v), - "threat.file.pe.go_imports_names_entropy" => static (e, v) => TrySetFile(e, "file.pe.go_imports_names_entropy", v), - "ThreatFilePeGoImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.pe.go_imports_names_entropy", v), - "threat.file.pe.go_imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.pe.go_imports_names_var_entropy", v), - "ThreatFilePeGoImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.pe.go_imports_names_var_entropy", v), - "threat.file.pe.go_stripped" => static (e, v) => TrySetFile(e, "file.pe.go_stripped", v), - "ThreatFilePeGoStripped" => static (e, v) => TrySetFile(e, "file.pe.go_stripped", v), - "threat.file.pe.imphash" => static (e, v) => TrySetFile(e, "file.pe.imphash", v), - "ThreatFilePeImphash" => static (e, v) => TrySetFile(e, "file.pe.imphash", v), - "threat.file.pe.import_hash" => static (e, v) => TrySetFile(e, "file.pe.import_hash", v), - "ThreatFilePeImportHash" => static (e, v) => TrySetFile(e, "file.pe.import_hash", v), - "threat.file.pe.imports_names_entropy" => static (e, v) => TrySetFile(e, "file.pe.imports_names_entropy", v), - "ThreatFilePeImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.pe.imports_names_entropy", v), - "threat.file.pe.imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.pe.imports_names_var_entropy", v), - "ThreatFilePeImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.pe.imports_names_var_entropy", v), - "threat.file.pe.original_file_name" => static (e, v) => TrySetFile(e, "file.pe.original_file_name", v), - "ThreatFilePeOriginalFileName" => static (e, v) => TrySetFile(e, "file.pe.original_file_name", v), - "threat.file.pe.pehash" => static (e, v) => TrySetFile(e, "file.pe.pehash", v), - "ThreatFilePePehash" => static (e, v) => TrySetFile(e, "file.pe.pehash", v), - "threat.file.pe.product" => static (e, v) => TrySetFile(e, "file.pe.product", v), - "ThreatFilePeProduct" => static (e, v) => TrySetFile(e, "file.pe.product", v), - "threat.file.x509.issuer.distinguished_name" => static (e, v) => TrySetFile(e, "file.x509.issuer.distinguished_name", v), - "ThreatFileX509IssuerDistinguishedName" => static (e, v) => TrySetFile(e, "file.x509.issuer.distinguished_name", v), - "threat.file.x509.not_after" => static (e, v) => TrySetFile(e, "file.x509.not_after", v), - "ThreatFileX509NotAfter" => static (e, v) => TrySetFile(e, "file.x509.not_after", v), - "threat.file.x509.not_before" => static (e, v) => TrySetFile(e, "file.x509.not_before", v), - "ThreatFileX509NotBefore" => static (e, v) => TrySetFile(e, "file.x509.not_before", v), - "threat.file.x509.public_key_algorithm" => static (e, v) => TrySetFile(e, "file.x509.public_key_algorithm", v), - "ThreatFileX509PublicKeyAlgorithm" => static (e, v) => TrySetFile(e, "file.x509.public_key_algorithm", v), - "threat.file.x509.public_key_curve" => static (e, v) => TrySetFile(e, "file.x509.public_key_curve", v), - "ThreatFileX509PublicKeyCurve" => static (e, v) => TrySetFile(e, "file.x509.public_key_curve", v), - "threat.file.x509.public_key_exponent" => static (e, v) => TrySetFile(e, "file.x509.public_key_exponent", v), - "ThreatFileX509PublicKeyExponent" => static (e, v) => TrySetFile(e, "file.x509.public_key_exponent", v), - "threat.file.x509.public_key_size" => static (e, v) => TrySetFile(e, "file.x509.public_key_size", v), - "ThreatFileX509PublicKeySize" => static (e, v) => TrySetFile(e, "file.x509.public_key_size", v), - "threat.file.x509.serial_number" => static (e, v) => TrySetFile(e, "file.x509.serial_number", v), - "ThreatFileX509SerialNumber" => static (e, v) => TrySetFile(e, "file.x509.serial_number", v), - "threat.file.x509.signature_algorithm" => static (e, v) => TrySetFile(e, "file.x509.signature_algorithm", v), - "ThreatFileX509SignatureAlgorithm" => static (e, v) => TrySetFile(e, "file.x509.signature_algorithm", v), - "threat.file.x509.subject.distinguished_name" => static (e, v) => TrySetFile(e, "file.x509.subject.distinguished_name", v), - "ThreatFileX509SubjectDistinguishedName" => static (e, v) => TrySetFile(e, "file.x509.subject.distinguished_name", v), - "threat.file.x509.version_number" => static (e, v) => TrySetFile(e, "file.x509.version_number", v), - "ThreatFileX509VersionNumber" => static (e, v) => TrySetFile(e, "file.x509.version_number", v), - "threat.file.code_signature.digest_algorithm" => static (e, v) => TrySetFile(e, "file.code_signature.digest_algorithm", v), - "ThreatFileCodeSignatureDigestAlgorithm" => static (e, v) => TrySetFile(e, "file.code_signature.digest_algorithm", v), - "threat.file.code_signature.exists" => static (e, v) => TrySetFile(e, "file.code_signature.exists", v), - "ThreatFileCodeSignatureExists" => static (e, v) => TrySetFile(e, "file.code_signature.exists", v), - "threat.file.code_signature.signing_id" => static (e, v) => TrySetFile(e, "file.code_signature.signing_id", v), - "ThreatFileCodeSignatureSigningId" => static (e, v) => TrySetFile(e, "file.code_signature.signing_id", v), - "threat.file.code_signature.status" => static (e, v) => TrySetFile(e, "file.code_signature.status", v), - "ThreatFileCodeSignatureStatus" => static (e, v) => TrySetFile(e, "file.code_signature.status", v), - "threat.file.code_signature.subject_name" => static (e, v) => TrySetFile(e, "file.code_signature.subject_name", v), - "ThreatFileCodeSignatureSubjectName" => static (e, v) => TrySetFile(e, "file.code_signature.subject_name", v), - "threat.file.code_signature.team_id" => static (e, v) => TrySetFile(e, "file.code_signature.team_id", v), - "ThreatFileCodeSignatureTeamId" => static (e, v) => TrySetFile(e, "file.code_signature.team_id", v), - "threat.file.code_signature.timestamp" => static (e, v) => TrySetFile(e, "file.code_signature.timestamp", v), - "ThreatFileCodeSignatureTimestamp" => static (e, v) => TrySetFile(e, "file.code_signature.timestamp", v), - "threat.file.code_signature.trusted" => static (e, v) => TrySetFile(e, "file.code_signature.trusted", v), - "ThreatFileCodeSignatureTrusted" => static (e, v) => TrySetFile(e, "file.code_signature.trusted", v), - "threat.file.code_signature.valid" => static (e, v) => TrySetFile(e, "file.code_signature.valid", v), - "ThreatFileCodeSignatureValid" => static (e, v) => TrySetFile(e, "file.code_signature.valid", v), - "threat.file.elf.architecture" => static (e, v) => TrySetFile(e, "file.elf.architecture", v), - "ThreatFileElfArchitecture" => static (e, v) => TrySetFile(e, "file.elf.architecture", v), - "threat.file.elf.byte_order" => static (e, v) => TrySetFile(e, "file.elf.byte_order", v), - "ThreatFileElfByteOrder" => static (e, v) => TrySetFile(e, "file.elf.byte_order", v), - "threat.file.elf.cpu_type" => static (e, v) => TrySetFile(e, "file.elf.cpu_type", v), - "ThreatFileElfCpuType" => static (e, v) => TrySetFile(e, "file.elf.cpu_type", v), - "threat.file.elf.creation_date" => static (e, v) => TrySetFile(e, "file.elf.creation_date", v), - "ThreatFileElfCreationDate" => static (e, v) => TrySetFile(e, "file.elf.creation_date", v), - "threat.file.elf.go_import_hash" => static (e, v) => TrySetFile(e, "file.elf.go_import_hash", v), - "ThreatFileElfGoImportHash" => static (e, v) => TrySetFile(e, "file.elf.go_import_hash", v), - "threat.file.elf.go_imports" => static (e, v) => TrySetFile(e, "file.elf.go_imports", v), - "ThreatFileElfGoImports" => static (e, v) => TrySetFile(e, "file.elf.go_imports", v), - "threat.file.elf.go_imports_names_entropy" => static (e, v) => TrySetFile(e, "file.elf.go_imports_names_entropy", v), - "ThreatFileElfGoImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.elf.go_imports_names_entropy", v), - "threat.file.elf.go_imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.elf.go_imports_names_var_entropy", v), - "ThreatFileElfGoImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.elf.go_imports_names_var_entropy", v), - "threat.file.elf.go_stripped" => static (e, v) => TrySetFile(e, "file.elf.go_stripped", v), - "ThreatFileElfGoStripped" => static (e, v) => TrySetFile(e, "file.elf.go_stripped", v), - "threat.file.elf.header.abi_version" => static (e, v) => TrySetFile(e, "file.elf.header.abi_version", v), - "ThreatFileElfHeaderAbiVersion" => static (e, v) => TrySetFile(e, "file.elf.header.abi_version", v), - "threat.file.elf.header.class" => static (e, v) => TrySetFile(e, "file.elf.header.class", v), - "ThreatFileElfHeaderClass" => static (e, v) => TrySetFile(e, "file.elf.header.class", v), - "threat.file.elf.header.data" => static (e, v) => TrySetFile(e, "file.elf.header.data", v), - "ThreatFileElfHeaderData" => static (e, v) => TrySetFile(e, "file.elf.header.data", v), - "threat.file.elf.header.entrypoint" => static (e, v) => TrySetFile(e, "file.elf.header.entrypoint", v), - "ThreatFileElfHeaderEntrypoint" => static (e, v) => TrySetFile(e, "file.elf.header.entrypoint", v), - "threat.file.elf.header.object_version" => static (e, v) => TrySetFile(e, "file.elf.header.object_version", v), - "ThreatFileElfHeaderObjectVersion" => static (e, v) => TrySetFile(e, "file.elf.header.object_version", v), - "threat.file.elf.header.os_abi" => static (e, v) => TrySetFile(e, "file.elf.header.os_abi", v), - "ThreatFileElfHeaderOsAbi" => static (e, v) => TrySetFile(e, "file.elf.header.os_abi", v), - "threat.file.elf.header.type" => static (e, v) => TrySetFile(e, "file.elf.header.type", v), - "ThreatFileElfHeaderType" => static (e, v) => TrySetFile(e, "file.elf.header.type", v), - "threat.file.elf.header.version" => static (e, v) => TrySetFile(e, "file.elf.header.version", v), - "ThreatFileElfHeaderVersion" => static (e, v) => TrySetFile(e, "file.elf.header.version", v), - "threat.file.elf.import_hash" => static (e, v) => TrySetFile(e, "file.elf.import_hash", v), - "ThreatFileElfImportHash" => static (e, v) => TrySetFile(e, "file.elf.import_hash", v), - "threat.file.elf.imports_names_entropy" => static (e, v) => TrySetFile(e, "file.elf.imports_names_entropy", v), - "ThreatFileElfImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.elf.imports_names_entropy", v), - "threat.file.elf.imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.elf.imports_names_var_entropy", v), - "ThreatFileElfImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.elf.imports_names_var_entropy", v), - "threat.file.elf.telfhash" => static (e, v) => TrySetFile(e, "file.elf.telfhash", v), - "ThreatFileElfTelfhash" => static (e, v) => TrySetFile(e, "file.elf.telfhash", v), - "threat.file.macho.go_import_hash" => static (e, v) => TrySetFile(e, "file.macho.go_import_hash", v), - "ThreatFileMachoGoImportHash" => static (e, v) => TrySetFile(e, "file.macho.go_import_hash", v), - "threat.file.macho.go_imports" => static (e, v) => TrySetFile(e, "file.macho.go_imports", v), - "ThreatFileMachoGoImports" => static (e, v) => TrySetFile(e, "file.macho.go_imports", v), - "threat.file.macho.go_imports_names_entropy" => static (e, v) => TrySetFile(e, "file.macho.go_imports_names_entropy", v), - "ThreatFileMachoGoImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.macho.go_imports_names_entropy", v), - "threat.file.macho.go_imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.macho.go_imports_names_var_entropy", v), - "ThreatFileMachoGoImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.macho.go_imports_names_var_entropy", v), - "threat.file.macho.go_stripped" => static (e, v) => TrySetFile(e, "file.macho.go_stripped", v), - "ThreatFileMachoGoStripped" => static (e, v) => TrySetFile(e, "file.macho.go_stripped", v), - "threat.file.macho.import_hash" => static (e, v) => TrySetFile(e, "file.macho.import_hash", v), - "ThreatFileMachoImportHash" => static (e, v) => TrySetFile(e, "file.macho.import_hash", v), - "threat.file.macho.imports_names_entropy" => static (e, v) => TrySetFile(e, "file.macho.imports_names_entropy", v), - "ThreatFileMachoImportsNamesEntropy" => static (e, v) => TrySetFile(e, "file.macho.imports_names_entropy", v), - "threat.file.macho.imports_names_var_entropy" => static (e, v) => TrySetFile(e, "file.macho.imports_names_var_entropy", v), - "ThreatFileMachoImportsNamesVarEntropy" => static (e, v) => TrySetFile(e, "file.macho.imports_names_var_entropy", v), - "threat.file.macho.symhash" => static (e, v) => TrySetFile(e, "file.macho.symhash", v), - "ThreatFileMachoSymhash" => static (e, v) => TrySetFile(e, "file.macho.symhash", v), - "threat.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "ThreatGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "threat.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "ThreatGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "threat.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "ThreatGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "threat.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "ThreatGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "threat.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "ThreatGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "threat.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), - "ThreatGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), - "threat.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "ThreatGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "threat.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "ThreatGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "threat.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "ThreatGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "threat.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "ThreatGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "threat.registry.data.bytes" => static (e, v) => TrySetRegistry(e, "registry.data.bytes", v), - "ThreatRegistryDataBytes" => static (e, v) => TrySetRegistry(e, "registry.data.bytes", v), - "threat.registry.data.type" => static (e, v) => TrySetRegistry(e, "registry.data.type", v), - "ThreatRegistryDataType" => static (e, v) => TrySetRegistry(e, "registry.data.type", v), - "threat.registry.hive" => static (e, v) => TrySetRegistry(e, "registry.hive", v), - "ThreatRegistryHive" => static (e, v) => TrySetRegistry(e, "registry.hive", v), - "threat.registry.key" => static (e, v) => TrySetRegistry(e, "registry.key", v), - "ThreatRegistryKey" => static (e, v) => TrySetRegistry(e, "registry.key", v), - "threat.registry.path" => static (e, v) => TrySetRegistry(e, "registry.path", v), - "ThreatRegistryPath" => static (e, v) => TrySetRegistry(e, "registry.path", v), - "threat.registry.value" => static (e, v) => TrySetRegistry(e, "registry.value", v), - "ThreatRegistryValue" => static (e, v) => TrySetRegistry(e, "registry.value", v), - "threat.url.domain" => static (e, v) => TrySetUrl(e, "url.domain", v), - "ThreatUrlDomain" => static (e, v) => TrySetUrl(e, "url.domain", v), - "threat.url.extension" => static (e, v) => TrySetUrl(e, "url.extension", v), - "ThreatUrlExtension" => static (e, v) => TrySetUrl(e, "url.extension", v), - "threat.url.fragment" => static (e, v) => TrySetUrl(e, "url.fragment", v), - "ThreatUrlFragment" => static (e, v) => TrySetUrl(e, "url.fragment", v), - "threat.url.full" => static (e, v) => TrySetUrl(e, "url.full", v), - "ThreatUrlFull" => static (e, v) => TrySetUrl(e, "url.full", v), - "threat.url.original" => static (e, v) => TrySetUrl(e, "url.original", v), - "ThreatUrlOriginal" => static (e, v) => TrySetUrl(e, "url.original", v), - "threat.url.password" => static (e, v) => TrySetUrl(e, "url.password", v), - "ThreatUrlPassword" => static (e, v) => TrySetUrl(e, "url.password", v), - "threat.url.path" => static (e, v) => TrySetUrl(e, "url.path", v), - "ThreatUrlPath" => static (e, v) => TrySetUrl(e, "url.path", v), - "threat.url.port" => static (e, v) => TrySetUrl(e, "url.port", v), - "ThreatUrlPort" => static (e, v) => TrySetUrl(e, "url.port", v), - "threat.url.query" => static (e, v) => TrySetUrl(e, "url.query", v), - "ThreatUrlQuery" => static (e, v) => TrySetUrl(e, "url.query", v), - "threat.url.registered_domain" => static (e, v) => TrySetUrl(e, "url.registered_domain", v), - "ThreatUrlRegisteredDomain" => static (e, v) => TrySetUrl(e, "url.registered_domain", v), - "threat.url.scheme" => static (e, v) => TrySetUrl(e, "url.scheme", v), - "ThreatUrlScheme" => static (e, v) => TrySetUrl(e, "url.scheme", v), - "threat.url.subdomain" => static (e, v) => TrySetUrl(e, "url.subdomain", v), - "ThreatUrlSubdomain" => static (e, v) => TrySetUrl(e, "url.subdomain", v), - "threat.url.top_level_domain" => static (e, v) => TrySetUrl(e, "url.top_level_domain", v), - "ThreatUrlTopLevelDomain" => static (e, v) => TrySetUrl(e, "url.top_level_domain", v), - "threat.url.username" => static (e, v) => TrySetUrl(e, "url.username", v), - "ThreatUrlUsername" => static (e, v) => TrySetUrl(e, "url.username", v), + "threat.indicator.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.IndicatorX509 ?? new X509(),v), + "ThreatIndicatorX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.IndicatorX509 ?? new X509(),v), + "threat.indicator.as.number" => static (e, v) => TryAssignAs("as.number")(e.IndicatorAs ?? new As(),v), + "ThreatIndicatorAsNumber" => static (e, v) => TryAssignAs("as.number")(e.IndicatorAs ?? new As(),v), + "threat.indicator.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.IndicatorAs ?? new As(),v), + "ThreatIndicatorAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.IndicatorAs ?? new As(),v), + "threat.indicator.file.accessed" => static (e, v) => TryAssignFile("file.accessed")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileAccessed" => static (e, v) => TryAssignFile("file.accessed")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.created" => static (e, v) => TryAssignFile("file.created")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCreated" => static (e, v) => TryAssignFile("file.created")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.ctime" => static (e, v) => TryAssignFile("file.ctime")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCtime" => static (e, v) => TryAssignFile("file.ctime")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.device" => static (e, v) => TryAssignFile("file.device")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileDevice" => static (e, v) => TryAssignFile("file.device")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.directory" => static (e, v) => TryAssignFile("file.directory")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileDirectory" => static (e, v) => TryAssignFile("file.directory")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.drive_letter" => static (e, v) => TryAssignFile("file.drive_letter")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileDriveLetter" => static (e, v) => TryAssignFile("file.drive_letter")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.extension" => static (e, v) => TryAssignFile("file.extension")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileExtension" => static (e, v) => TryAssignFile("file.extension")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.fork_name" => static (e, v) => TryAssignFile("file.fork_name")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileForkName" => static (e, v) => TryAssignFile("file.fork_name")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.gid" => static (e, v) => TryAssignFile("file.gid")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileGid" => static (e, v) => TryAssignFile("file.gid")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.group" => static (e, v) => TryAssignFile("file.group")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileGroup" => static (e, v) => TryAssignFile("file.group")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.inode" => static (e, v) => TryAssignFile("file.inode")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileInode" => static (e, v) => TryAssignFile("file.inode")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.mime_type" => static (e, v) => TryAssignFile("file.mime_type")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMimeType" => static (e, v) => TryAssignFile("file.mime_type")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.mode" => static (e, v) => TryAssignFile("file.mode")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMode" => static (e, v) => TryAssignFile("file.mode")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.mtime" => static (e, v) => TryAssignFile("file.mtime")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMtime" => static (e, v) => TryAssignFile("file.mtime")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.name" => static (e, v) => TryAssignFile("file.name")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileName" => static (e, v) => TryAssignFile("file.name")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.owner" => static (e, v) => TryAssignFile("file.owner")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileOwner" => static (e, v) => TryAssignFile("file.owner")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.path" => static (e, v) => TryAssignFile("file.path")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePath" => static (e, v) => TryAssignFile("file.path")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.size" => static (e, v) => TryAssignFile("file.size")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileSize" => static (e, v) => TryAssignFile("file.size")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.target_path" => static (e, v) => TryAssignFile("file.target_path")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileTargetPath" => static (e, v) => TryAssignFile("file.target_path")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.type" => static (e, v) => TryAssignFile("file.type")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileType" => static (e, v) => TryAssignFile("file.type")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.uid" => static (e, v) => TryAssignFile("file.uid")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileUid" => static (e, v) => TryAssignFile("file.uid")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.hash.md5" => static (e, v) => TryAssignFile("file.hash.md5")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileHashMd5" => static (e, v) => TryAssignFile("file.hash.md5")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.hash.sha1" => static (e, v) => TryAssignFile("file.hash.sha1")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileHashSha1" => static (e, v) => TryAssignFile("file.hash.sha1")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.hash.sha256" => static (e, v) => TryAssignFile("file.hash.sha256")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileHashSha256" => static (e, v) => TryAssignFile("file.hash.sha256")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.hash.sha384" => static (e, v) => TryAssignFile("file.hash.sha384")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileHashSha384" => static (e, v) => TryAssignFile("file.hash.sha384")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.hash.sha512" => static (e, v) => TryAssignFile("file.hash.sha512")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileHashSha512" => static (e, v) => TryAssignFile("file.hash.sha512")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.hash.ssdeep" => static (e, v) => TryAssignFile("file.hash.ssdeep")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileHashSsdeep" => static (e, v) => TryAssignFile("file.hash.ssdeep")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.hash.tlsh" => static (e, v) => TryAssignFile("file.hash.tlsh")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileHashTlsh" => static (e, v) => TryAssignFile("file.hash.tlsh")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.architecture" => static (e, v) => TryAssignFile("file.pe.architecture")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeArchitecture" => static (e, v) => TryAssignFile("file.pe.architecture")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.company" => static (e, v) => TryAssignFile("file.pe.company")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeCompany" => static (e, v) => TryAssignFile("file.pe.company")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.description" => static (e, v) => TryAssignFile("file.pe.description")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeDescription" => static (e, v) => TryAssignFile("file.pe.description")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.file_version" => static (e, v) => TryAssignFile("file.pe.file_version")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeFileVersion" => static (e, v) => TryAssignFile("file.pe.file_version")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.go_import_hash" => static (e, v) => TryAssignFile("file.pe.go_import_hash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeGoImportHash" => static (e, v) => TryAssignFile("file.pe.go_import_hash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.go_imports" => static (e, v) => TryAssignFile("file.pe.go_imports")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeGoImports" => static (e, v) => TryAssignFile("file.pe.go_imports")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.go_stripped" => static (e, v) => TryAssignFile("file.pe.go_stripped")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeGoStripped" => static (e, v) => TryAssignFile("file.pe.go_stripped")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.imphash" => static (e, v) => TryAssignFile("file.pe.imphash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeImphash" => static (e, v) => TryAssignFile("file.pe.imphash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.import_hash" => static (e, v) => TryAssignFile("file.pe.import_hash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeImportHash" => static (e, v) => TryAssignFile("file.pe.import_hash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.imports_names_entropy" => static (e, v) => TryAssignFile("file.pe.imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeImportsNamesEntropy" => static (e, v) => TryAssignFile("file.pe.imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.pe.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.pe.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.original_file_name" => static (e, v) => TryAssignFile("file.pe.original_file_name")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeOriginalFileName" => static (e, v) => TryAssignFile("file.pe.original_file_name")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.pehash" => static (e, v) => TryAssignFile("file.pe.pehash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePePehash" => static (e, v) => TryAssignFile("file.pe.pehash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.pe.product" => static (e, v) => TryAssignFile("file.pe.product")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFilePeProduct" => static (e, v) => TryAssignFile("file.pe.product")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.issuer.distinguished_name" => static (e, v) => TryAssignFile("file.x509.issuer.distinguished_name")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509IssuerDistinguishedName" => static (e, v) => TryAssignFile("file.x509.issuer.distinguished_name")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.not_after" => static (e, v) => TryAssignFile("file.x509.not_after")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509NotAfter" => static (e, v) => TryAssignFile("file.x509.not_after")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.not_before" => static (e, v) => TryAssignFile("file.x509.not_before")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509NotBefore" => static (e, v) => TryAssignFile("file.x509.not_before")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.public_key_algorithm" => static (e, v) => TryAssignFile("file.x509.public_key_algorithm")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509PublicKeyAlgorithm" => static (e, v) => TryAssignFile("file.x509.public_key_algorithm")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.public_key_curve" => static (e, v) => TryAssignFile("file.x509.public_key_curve")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509PublicKeyCurve" => static (e, v) => TryAssignFile("file.x509.public_key_curve")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.public_key_exponent" => static (e, v) => TryAssignFile("file.x509.public_key_exponent")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509PublicKeyExponent" => static (e, v) => TryAssignFile("file.x509.public_key_exponent")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.public_key_size" => static (e, v) => TryAssignFile("file.x509.public_key_size")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509PublicKeySize" => static (e, v) => TryAssignFile("file.x509.public_key_size")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.serial_number" => static (e, v) => TryAssignFile("file.x509.serial_number")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509SerialNumber" => static (e, v) => TryAssignFile("file.x509.serial_number")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.signature_algorithm" => static (e, v) => TryAssignFile("file.x509.signature_algorithm")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509SignatureAlgorithm" => static (e, v) => TryAssignFile("file.x509.signature_algorithm")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.subject.distinguished_name" => static (e, v) => TryAssignFile("file.x509.subject.distinguished_name")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509SubjectDistinguishedName" => static (e, v) => TryAssignFile("file.x509.subject.distinguished_name")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.x509.version_number" => static (e, v) => TryAssignFile("file.x509.version_number")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileX509VersionNumber" => static (e, v) => TryAssignFile("file.x509.version_number")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.code_signature.digest_algorithm" => static (e, v) => TryAssignFile("file.code_signature.digest_algorithm")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignFile("file.code_signature.digest_algorithm")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.code_signature.exists" => static (e, v) => TryAssignFile("file.code_signature.exists")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCodeSignatureExists" => static (e, v) => TryAssignFile("file.code_signature.exists")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.code_signature.signing_id" => static (e, v) => TryAssignFile("file.code_signature.signing_id")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCodeSignatureSigningId" => static (e, v) => TryAssignFile("file.code_signature.signing_id")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.code_signature.status" => static (e, v) => TryAssignFile("file.code_signature.status")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCodeSignatureStatus" => static (e, v) => TryAssignFile("file.code_signature.status")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.code_signature.subject_name" => static (e, v) => TryAssignFile("file.code_signature.subject_name")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCodeSignatureSubjectName" => static (e, v) => TryAssignFile("file.code_signature.subject_name")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.code_signature.team_id" => static (e, v) => TryAssignFile("file.code_signature.team_id")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCodeSignatureTeamId" => static (e, v) => TryAssignFile("file.code_signature.team_id")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.code_signature.timestamp" => static (e, v) => TryAssignFile("file.code_signature.timestamp")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCodeSignatureTimestamp" => static (e, v) => TryAssignFile("file.code_signature.timestamp")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.code_signature.trusted" => static (e, v) => TryAssignFile("file.code_signature.trusted")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCodeSignatureTrusted" => static (e, v) => TryAssignFile("file.code_signature.trusted")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.code_signature.valid" => static (e, v) => TryAssignFile("file.code_signature.valid")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileCodeSignatureValid" => static (e, v) => TryAssignFile("file.code_signature.valid")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.architecture" => static (e, v) => TryAssignFile("file.elf.architecture")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfArchitecture" => static (e, v) => TryAssignFile("file.elf.architecture")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.byte_order" => static (e, v) => TryAssignFile("file.elf.byte_order")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfByteOrder" => static (e, v) => TryAssignFile("file.elf.byte_order")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.cpu_type" => static (e, v) => TryAssignFile("file.elf.cpu_type")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfCpuType" => static (e, v) => TryAssignFile("file.elf.cpu_type")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.creation_date" => static (e, v) => TryAssignFile("file.elf.creation_date")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfCreationDate" => static (e, v) => TryAssignFile("file.elf.creation_date")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.go_import_hash" => static (e, v) => TryAssignFile("file.elf.go_import_hash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfGoImportHash" => static (e, v) => TryAssignFile("file.elf.go_import_hash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.go_imports" => static (e, v) => TryAssignFile("file.elf.go_imports")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfGoImports" => static (e, v) => TryAssignFile("file.elf.go_imports")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.go_stripped" => static (e, v) => TryAssignFile("file.elf.go_stripped")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfGoStripped" => static (e, v) => TryAssignFile("file.elf.go_stripped")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.header.abi_version" => static (e, v) => TryAssignFile("file.elf.header.abi_version")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfHeaderAbiVersion" => static (e, v) => TryAssignFile("file.elf.header.abi_version")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.header.class" => static (e, v) => TryAssignFile("file.elf.header.class")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfHeaderClass" => static (e, v) => TryAssignFile("file.elf.header.class")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.header.data" => static (e, v) => TryAssignFile("file.elf.header.data")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfHeaderData" => static (e, v) => TryAssignFile("file.elf.header.data")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.header.entrypoint" => static (e, v) => TryAssignFile("file.elf.header.entrypoint")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfHeaderEntrypoint" => static (e, v) => TryAssignFile("file.elf.header.entrypoint")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.header.object_version" => static (e, v) => TryAssignFile("file.elf.header.object_version")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfHeaderObjectVersion" => static (e, v) => TryAssignFile("file.elf.header.object_version")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.header.os_abi" => static (e, v) => TryAssignFile("file.elf.header.os_abi")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfHeaderOsAbi" => static (e, v) => TryAssignFile("file.elf.header.os_abi")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.header.type" => static (e, v) => TryAssignFile("file.elf.header.type")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfHeaderType" => static (e, v) => TryAssignFile("file.elf.header.type")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.header.version" => static (e, v) => TryAssignFile("file.elf.header.version")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfHeaderVersion" => static (e, v) => TryAssignFile("file.elf.header.version")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.import_hash" => static (e, v) => TryAssignFile("file.elf.import_hash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfImportHash" => static (e, v) => TryAssignFile("file.elf.import_hash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.imports_names_entropy" => static (e, v) => TryAssignFile("file.elf.imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfImportsNamesEntropy" => static (e, v) => TryAssignFile("file.elf.imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.elf.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.elf.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.elf.telfhash" => static (e, v) => TryAssignFile("file.elf.telfhash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileElfTelfhash" => static (e, v) => TryAssignFile("file.elf.telfhash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.macho.go_import_hash" => static (e, v) => TryAssignFile("file.macho.go_import_hash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMachoGoImportHash" => static (e, v) => TryAssignFile("file.macho.go_import_hash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.macho.go_imports" => static (e, v) => TryAssignFile("file.macho.go_imports")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMachoGoImports" => static (e, v) => TryAssignFile("file.macho.go_imports")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.macho.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMachoGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.macho.go_stripped" => static (e, v) => TryAssignFile("file.macho.go_stripped")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMachoGoStripped" => static (e, v) => TryAssignFile("file.macho.go_stripped")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.macho.import_hash" => static (e, v) => TryAssignFile("file.macho.import_hash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMachoImportHash" => static (e, v) => TryAssignFile("file.macho.import_hash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.macho.imports_names_entropy" => static (e, v) => TryAssignFile("file.macho.imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMachoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.macho.imports_names_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.macho.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.macho.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMachoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.macho.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), + "threat.indicator.file.macho.symhash" => static (e, v) => TryAssignFile("file.macho.symhash")(e.IndicatorFile ?? new File(),v), + "ThreatIndicatorFileMachoSymhash" => static (e, v) => TryAssignFile("file.macho.symhash")(e.IndicatorFile ?? new File(),v), + "threat.indicator.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.IndicatorGeo ?? new Geo(),v), + "ThreatIndicatorGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.IndicatorGeo ?? new Geo(),v), + "threat.indicator.registry.data.bytes" => static (e, v) => TryAssignRegistry("registry.data.bytes")(e.IndicatorRegistry ?? new Registry(),v), + "ThreatIndicatorRegistryDataBytes" => static (e, v) => TryAssignRegistry("registry.data.bytes")(e.IndicatorRegistry ?? new Registry(),v), + "threat.indicator.registry.data.type" => static (e, v) => TryAssignRegistry("registry.data.type")(e.IndicatorRegistry ?? new Registry(),v), + "ThreatIndicatorRegistryDataType" => static (e, v) => TryAssignRegistry("registry.data.type")(e.IndicatorRegistry ?? new Registry(),v), + "threat.indicator.registry.hive" => static (e, v) => TryAssignRegistry("registry.hive")(e.IndicatorRegistry ?? new Registry(),v), + "ThreatIndicatorRegistryHive" => static (e, v) => TryAssignRegistry("registry.hive")(e.IndicatorRegistry ?? new Registry(),v), + "threat.indicator.registry.key" => static (e, v) => TryAssignRegistry("registry.key")(e.IndicatorRegistry ?? new Registry(),v), + "ThreatIndicatorRegistryKey" => static (e, v) => TryAssignRegistry("registry.key")(e.IndicatorRegistry ?? new Registry(),v), + "threat.indicator.registry.path" => static (e, v) => TryAssignRegistry("registry.path")(e.IndicatorRegistry ?? new Registry(),v), + "ThreatIndicatorRegistryPath" => static (e, v) => TryAssignRegistry("registry.path")(e.IndicatorRegistry ?? new Registry(),v), + "threat.indicator.registry.value" => static (e, v) => TryAssignRegistry("registry.value")(e.IndicatorRegistry ?? new Registry(),v), + "ThreatIndicatorRegistryValue" => static (e, v) => TryAssignRegistry("registry.value")(e.IndicatorRegistry ?? new Registry(),v), + "threat.indicator.url.domain" => static (e, v) => TryAssignUrl("url.domain")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlDomain" => static (e, v) => TryAssignUrl("url.domain")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.extension" => static (e, v) => TryAssignUrl("url.extension")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlExtension" => static (e, v) => TryAssignUrl("url.extension")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.fragment" => static (e, v) => TryAssignUrl("url.fragment")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlFragment" => static (e, v) => TryAssignUrl("url.fragment")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.full" => static (e, v) => TryAssignUrl("url.full")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlFull" => static (e, v) => TryAssignUrl("url.full")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.original" => static (e, v) => TryAssignUrl("url.original")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlOriginal" => static (e, v) => TryAssignUrl("url.original")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.password" => static (e, v) => TryAssignUrl("url.password")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlPassword" => static (e, v) => TryAssignUrl("url.password")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.path" => static (e, v) => TryAssignUrl("url.path")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlPath" => static (e, v) => TryAssignUrl("url.path")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.port" => static (e, v) => TryAssignUrl("url.port")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlPort" => static (e, v) => TryAssignUrl("url.port")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.query" => static (e, v) => TryAssignUrl("url.query")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlQuery" => static (e, v) => TryAssignUrl("url.query")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.registered_domain" => static (e, v) => TryAssignUrl("url.registered_domain")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlRegisteredDomain" => static (e, v) => TryAssignUrl("url.registered_domain")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.scheme" => static (e, v) => TryAssignUrl("url.scheme")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlScheme" => static (e, v) => TryAssignUrl("url.scheme")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.subdomain" => static (e, v) => TryAssignUrl("url.subdomain")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlSubdomain" => static (e, v) => TryAssignUrl("url.subdomain")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.top_level_domain" => static (e, v) => TryAssignUrl("url.top_level_domain")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlTopLevelDomain" => static (e, v) => TryAssignUrl("url.top_level_domain")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.url.username" => static (e, v) => TryAssignUrl("url.username")(e.IndicatorUrl ?? new Url(),v), + "ThreatIndicatorUrlUsername" => static (e, v) => TryAssignUrl("url.username")(e.IndicatorUrl ?? new Url(),v), _ => null }; + return assign; + } + public static bool TrySetThreat(EcsDocument document, string path, object value) + { + var assign = TryAssignThreat(path); if (assign == null) return false; var entity = document.Threat ?? new Threat(); @@ -5523,7 +6053,7 @@ public static bool TrySetThreat(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetTls(EcsDocument document, string path, object value) + public static Func TryAssignTls(string path) { Func assign = path switch { @@ -5579,30 +6109,35 @@ public static bool TrySetTls(EcsDocument document, string path, object value) "TlsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "tls.version_protocol" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionProtocol = p), "TlsVersionProtocol" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionProtocol = p), - "tls.x509.issuer.distinguished_name" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), - "TlsX509IssuerDistinguishedName" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), - "tls.x509.not_after" => static (e, v) => TrySetX509(e, "x509.not_after", v), - "TlsX509NotAfter" => static (e, v) => TrySetX509(e, "x509.not_after", v), - "tls.x509.not_before" => static (e, v) => TrySetX509(e, "x509.not_before", v), - "TlsX509NotBefore" => static (e, v) => TrySetX509(e, "x509.not_before", v), - "tls.x509.public_key_algorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), - "TlsX509PublicKeyAlgorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), - "tls.x509.public_key_curve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), - "TlsX509PublicKeyCurve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), - "tls.x509.public_key_exponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), - "TlsX509PublicKeyExponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), - "tls.x509.public_key_size" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), - "TlsX509PublicKeySize" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), - "tls.x509.serial_number" => static (e, v) => TrySetX509(e, "x509.serial_number", v), - "TlsX509SerialNumber" => static (e, v) => TrySetX509(e, "x509.serial_number", v), - "tls.x509.signature_algorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), - "TlsX509SignatureAlgorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), - "tls.x509.subject.distinguished_name" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), - "TlsX509SubjectDistinguishedName" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), - "tls.x509.version_number" => static (e, v) => TrySetX509(e, "x509.version_number", v), - "TlsX509VersionNumber" => static (e, v) => TrySetX509(e, "x509.version_number", v), + "tls.client.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.ClientX509 ?? new X509(),v), + "TlsClientX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.ClientX509 ?? new X509(),v), + "TlsClientX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.ClientX509 ?? new X509(),v), + "TlsClientX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.ClientX509 ?? new X509(),v), + "TlsClientX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.ClientX509 ?? new X509(),v), + "TlsClientX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.ClientX509 ?? new X509(),v), + "TlsClientX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.ClientX509 ?? new X509(),v), + "TlsClientX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.ClientX509 ?? new X509(),v), + "TlsClientX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.ClientX509 ?? new X509(),v), + "TlsClientX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.ClientX509 ?? new X509(),v), + "TlsClientX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.ClientX509 ?? new X509(),v), + "TlsClientX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.ClientX509 ?? new X509(),v), _ => null }; + return assign; + } + public static bool TrySetTls(EcsDocument document, string path, object value) + { + var assign = TryAssignTls(path); if (assign == null) return false; var entity = document.Tls ?? new Tls(); @@ -5611,7 +6146,7 @@ public static bool TrySetTls(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetUrl(EcsDocument document, string path, object value) + public static Func TryAssignUrl(string path) { Func assign = path switch { @@ -5645,6 +6180,11 @@ public static bool TrySetUrl(EcsDocument document, string path, object value) "UrlUsername" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Username = p), _ => null }; + return assign; + } + public static bool TrySetUrl(EcsDocument document, string path, object value) + { + var assign = TryAssignUrl(path); if (assign == null) return false; var entity = document.Url ?? new Url(); @@ -5653,7 +6193,68 @@ public static bool TrySetUrl(EcsDocument document, string path, object value) return assigned; } - public static bool TrySetUserAgent(EcsDocument document, string path, object value) + public static Func TryAssignUser(string path) + { + Func assign = path switch + { + "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), + "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), + "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), + "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), + "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "user.group.domain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ?? new Group(),v), + "UserGroupDomain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ?? new Group(),v), + "user.group.id" => static (e, v) => TryAssignGroup("group.id")(e.Group ?? new Group(),v), + "UserGroupId" => static (e, v) => TryAssignGroup("group.id")(e.Group ?? new Group(),v), + "user.group.name" => static (e, v) => TryAssignGroup("group.name")(e.Group ?? new Group(),v), + "UserGroupName" => static (e, v) => TryAssignGroup("group.name")(e.Group ?? new Group(),v), + "user.risk.calculated_level" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ?? new Risk(),v), + "UserRiskCalculatedLevel" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ?? new Risk(),v), + "user.risk.calculated_score" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ?? new Risk(),v), + "UserRiskCalculatedScore" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ?? new Risk(),v), + "user.risk.calculated_score_norm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ?? new Risk(),v), + "UserRiskCalculatedScoreNorm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ?? new Risk(),v), + "user.risk.static_level" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ?? new Risk(),v), + "UserRiskStaticLevel" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ?? new Risk(),v), + "user.risk.static_score" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ?? new Risk(),v), + "UserRiskStaticScore" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ?? new Risk(),v), + "user.risk.static_score_norm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ?? new Risk(),v), + "UserRiskStaticScoreNorm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ?? new Risk(),v), + "target.user.domain" => static (e, v) => TryAssignUserTarget("user.domain")(e.Target ?? new UserTarget(),v), + "TargetUserDomain" => static (e, v) => TryAssignUserTarget("user.domain")(e.Target ?? new UserTarget(),v), + "target.user.email" => static (e, v) => TryAssignUserTarget("user.email")(e.Target ?? new UserTarget(),v), + "TargetUserEmail" => static (e, v) => TryAssignUserTarget("user.email")(e.Target ?? new UserTarget(),v), + "target.user.full_name" => static (e, v) => TryAssignUserTarget("user.full_name")(e.Target ?? new UserTarget(),v), + "TargetUserFullName" => static (e, v) => TryAssignUserTarget("user.full_name")(e.Target ?? new UserTarget(),v), + "target.user.hash" => static (e, v) => TryAssignUserTarget("user.hash")(e.Target ?? new UserTarget(),v), + "TargetUserHash" => static (e, v) => TryAssignUserTarget("user.hash")(e.Target ?? new UserTarget(),v), + "target.user.id" => static (e, v) => TryAssignUserTarget("user.id")(e.Target ?? new UserTarget(),v), + "TargetUserId" => static (e, v) => TryAssignUserTarget("user.id")(e.Target ?? new UserTarget(),v), + "target.user.name" => static (e, v) => TryAssignUserTarget("user.name")(e.Target ?? new UserTarget(),v), + "TargetUserName" => static (e, v) => TryAssignUserTarget("user.name")(e.Target ?? new UserTarget(),v), + _ => null + }; + return assign; + } + public static bool TrySetUser(IUser document, string path, object value) + { + var assign = TryAssignUser(path); + if (assign == null) return false; + + var entity = document.User ?? new User(); + var assigned = assign(entity, value); + if (assigned) document.User = entity; + return assigned; + } + + public static Func TryAssignUserAgent(string path) { Func assign = path switch { @@ -5665,22 +6266,27 @@ public static bool TrySetUserAgent(EcsDocument document, string path, object val "UserAgentOriginal" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Original = p), "user_agent.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "UserAgentVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "user_agent.os.family" => static (e, v) => TrySetOs(e, "os.family", v), - "UserAgentOsFamily" => static (e, v) => TrySetOs(e, "os.family", v), - "user_agent.os.full" => static (e, v) => TrySetOs(e, "os.full", v), - "UserAgentOsFull" => static (e, v) => TrySetOs(e, "os.full", v), - "user_agent.os.kernel" => static (e, v) => TrySetOs(e, "os.kernel", v), - "UserAgentOsKernel" => static (e, v) => TrySetOs(e, "os.kernel", v), - "user_agent.os.name" => static (e, v) => TrySetOs(e, "os.name", v), - "UserAgentOsName" => static (e, v) => TrySetOs(e, "os.name", v), - "user_agent.os.platform" => static (e, v) => TrySetOs(e, "os.platform", v), - "UserAgentOsPlatform" => static (e, v) => TrySetOs(e, "os.platform", v), - "user_agent.os.type" => static (e, v) => TrySetOs(e, "os.type", v), - "UserAgentOsType" => static (e, v) => TrySetOs(e, "os.type", v), - "user_agent.os.version" => static (e, v) => TrySetOs(e, "os.version", v), - "UserAgentOsVersion" => static (e, v) => TrySetOs(e, "os.version", v), + "user_agent.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), + "UserAgentOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), + "user_agent.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), + "UserAgentOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), + "user_agent.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), + "UserAgentOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), + "user_agent.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), + "UserAgentOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), + "user_agent.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), + "UserAgentOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), + "user_agent.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), + "UserAgentOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), + "user_agent.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), + "UserAgentOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), _ => null }; + return assign; + } + public static bool TrySetUserAgent(EcsDocument document, string path, object value) + { + var assign = TryAssignUserAgent(path); if (assign == null) return false; var entity = document.UserAgent ?? new UserAgent(); @@ -5689,7 +6295,30 @@ public static bool TrySetUserAgent(EcsDocument document, string path, object val return assigned; } - public static bool TrySetVulnerability(EcsDocument document, string path, object value) + public static Func TryAssignVlan(string path) + { + Func assign = path switch + { + "vlan.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "VlanId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "vlan.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "VlanName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + _ => null + }; + return assign; + } + public static bool TrySetVlan(IVlan document, string path, object value) + { + var assign = TryAssignVlan(path); + if (assign == null) return false; + + var entity = document.Vlan ?? new Vlan(); + var assigned = assign(entity, value); + if (assigned) document.Vlan = entity; + return assigned; + } + + public static Func TryAssignVulnerability(string path) { Func assign = path switch { @@ -5719,6 +6348,11 @@ public static bool TrySetVulnerability(EcsDocument document, string path, object "VulnerabilitySeverity" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Severity = p), _ => null }; + return assign; + } + public static bool TrySetVulnerability(EcsDocument document, string path, object value) + { + var assign = TryAssignVulnerability(path); if (assign == null) return false; var entity = document.Vulnerability ?? new Vulnerability(); @@ -5727,117 +6361,50 @@ public static bool TrySetVulnerability(EcsDocument document, string path, object return assigned; } - public static bool TrySetAs(IAs document, string path, object value) + public static Func TryAssignX509(string path) { - Func assign = path switch + Func assign = path switch { - "as.number" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), - "AsNumber" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), - "as.organization.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), - "AsOrganizationName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), + "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), + "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), + "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), + "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), + "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), + "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), + "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), + "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), + "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), + "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), + "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), _ => null }; + return assign; + } + public static bool TrySetX509(IX509 document, string path, object value) + { + var assign = TryAssignX509(path); if (assign == null) return false; - var entity = document.As ?? new As(); + var entity = document.X509 ?? new X509(); var assigned = assign(entity, value); - if (assigned) document.As = entity; + if (assigned) document.X509 = entity; return assigned; } - public static bool TrySetGeo(IGeo document, string path, object value) + public static Func TryAssignCloudOrigin(string path) { - Func assign = path switch - { - "geo.city_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), - "GeoCityName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), - "geo.continent_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), - "GeoContinentCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), - "geo.continent_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), - "GeoContinentName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), - "geo.country_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), - "GeoCountryIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), - "geo.country_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), - "GeoCountryName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), - "geo.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "GeoName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "geo.postal_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), - "GeoPostalCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), - "geo.region_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), - "GeoRegionIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), - "geo.region_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), - "GeoRegionName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), - "geo.timezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), - "GeoTimezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Geo ?? new Geo(); - var assigned = assign(entity, value); - if (assigned) document.Geo = entity; - return assigned; - } - - public static bool TrySetUser(IUser document, string path, object value) - { - Func assign = path switch - { - "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "user.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "UserGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "user.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), - "UserGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), - "user.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), - "UserGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), - "user.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "UserRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "user.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "UserRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "user.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "UserRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "user.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "UserRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "user.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "UserRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "user.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), - "UserRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), - "user.user.domain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), - "UserUserDomain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), - "user.user.email" => static (e, v) => TrySetUserTarget(e, "user.email", v), - "UserUserEmail" => static (e, v) => TrySetUserTarget(e, "user.email", v), - "user.user.full_name" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), - "UserUserFullName" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), - "user.user.hash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), - "UserUserHash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), - "user.user.id" => static (e, v) => TrySetUserTarget(e, "user.id", v), - "UserUserId" => static (e, v) => TrySetUserTarget(e, "user.id", v), - "user.user.name" => static (e, v) => TrySetUserTarget(e, "user.name", v), - "UserUserName" => static (e, v) => TrySetUserTarget(e, "user.name", v), - _ => null - }; - if (assign == null) return false; - - var entity = document.User ?? new User(); - var assigned = assign(entity, value); - if (assigned) document.User = entity; - return assigned; - } - - public static bool TrySetOrigin(IOrigin document, string path, object value) - { - Func assign = path switch + Func assign = path switch { "cloud.account.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), "CloudAccountId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), @@ -5863,6 +6430,11 @@ public static bool TrySetOrigin(IOrigin document, string path, object value) "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), _ => null }; + return assign; + } + public static bool TrySetCloudOrigin(ICloudOrigin document, string path, object value) + { + var assign = TryAssignCloudOrigin(path); if (assign == null) return false; var entity = document.Origin ?? new CloudOrigin(); @@ -5871,7 +6443,7 @@ public static bool TrySetOrigin(IOrigin document, string path, object value) return assigned; } - public static bool TrySetTarget(ITarget document, string path, object value) + public static Func TryAssignCloudTarget(string path) { Func assign = path switch { @@ -5888,700 +6460,31 @@ public static bool TrySetTarget(ITarget document, string path, object value) "cloud.machine.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), "CloudMachineType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), "cloud.project.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), - "CloudProjectId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), - "cloud.project.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), - "CloudProjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), - "cloud.provider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), - "CloudProvider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), - "cloud.region" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), - "CloudRegion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), - "cloud.service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), - "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Target ?? new CloudTarget(); - var assigned = assign(entity, value); - if (assigned) document.Target = entity; - return assigned; - } - - public static bool TrySetHash(IHash document, string path, object value) - { - Func assign = path switch - { - "hash.md5" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Md5 = p), - "HashMd5" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Md5 = p), - "hash.sha1" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha1 = p), - "HashSha1" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha1 = p), - "hash.sha256" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha256 = p), - "HashSha256" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha256 = p), - "hash.sha384" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha384 = p), - "HashSha384" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha384 = p), - "hash.sha512" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha512 = p), - "HashSha512" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Sha512 = p), - "hash.ssdeep" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ssdeep = p), - "HashSsdeep" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ssdeep = p), - "hash.tlsh" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Tlsh = p), - "HashTlsh" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Tlsh = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Hash ?? new Hash(); - var assigned = assign(entity, value); - if (assigned) document.Hash = entity; - return assigned; - } - - public static bool TrySetPe(IPe document, string path, object value) - { - Func assign = path switch - { - "pe.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "PeArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "pe.company" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Company = p), - "PeCompany" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Company = p), - "pe.description" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Description = p), - "PeDescription" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Description = p), - "pe.file_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FileVersion = p), - "PeFileVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FileVersion = p), - "pe.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "PeGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "pe.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "PeGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "pe.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "PeGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "pe.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "PeGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "pe.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "PeGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "pe.imphash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Imphash = p), - "PeImphash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Imphash = p), - "pe.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "PeImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "pe.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "PeImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "pe.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "PeImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "pe.original_file_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginalFileName = p), - "PeOriginalFileName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginalFileName = p), - "pe.pehash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Pehash = p), - "PePehash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Pehash = p), - "pe.product" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Product = p), - "PeProduct" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Product = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Pe ?? new Pe(); - var assigned = assign(entity, value); - if (assigned) document.Pe = entity; - return assigned; - } - - public static bool TrySetCodeSignature(ICodeSignature document, string path, object value) - { - Func assign = path switch - { - "code_signature.digest_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DigestAlgorithm = p), - "CodeSignatureDigestAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DigestAlgorithm = p), - "code_signature.exists" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Exists = p), - "CodeSignatureExists" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Exists = p), - "code_signature.signing_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SigningId = p), - "CodeSignatureSigningId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SigningId = p), - "code_signature.status" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Status = p), - "CodeSignatureStatus" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Status = p), - "code_signature.subject_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectName = p), - "CodeSignatureSubjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectName = p), - "code_signature.team_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TeamId = p), - "CodeSignatureTeamId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TeamId = p), - "code_signature.timestamp" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Timestamp = p), - "CodeSignatureTimestamp" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Timestamp = p), - "code_signature.trusted" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Trusted = p), - "CodeSignatureTrusted" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Trusted = p), - "code_signature.valid" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Valid = p), - "CodeSignatureValid" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Valid = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.CodeSignature ?? new CodeSignature(); - var assigned = assign(entity, value); - if (assigned) document.CodeSignature = entity; - return assigned; - } - - public static bool TrySetX509(IX509 document, string path, object value) - { - Func assign = path switch - { - "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), - "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.X509 ?? new X509(); - var assigned = assign(entity, value); - if (assigned) document.X509 = entity; - return assigned; - } - - public static bool TrySetElf(IElf document, string path, object value) - { - Func assign = path switch - { - "elf.architecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "ElfArchitecture" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Architecture = p), - "elf.byte_order" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ByteOrder = p), - "ElfByteOrder" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ByteOrder = p), - "elf.cpu_type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CpuType = p), - "ElfCpuType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CpuType = p), - "elf.creation_date" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.CreationDate = p), - "ElfCreationDate" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.CreationDate = p), - "elf.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "ElfGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "elf.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "ElfGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "elf.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "ElfGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "elf.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "ElfGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "elf.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "ElfGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "elf.header.abi_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderAbiVersion = p), - "ElfHeaderAbiVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderAbiVersion = p), - "elf.header.class" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderClass = p), - "ElfHeaderClass" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderClass = p), - "elf.header.data" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderData = p), - "ElfHeaderData" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderData = p), - "elf.header.entrypoint" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.HeaderEntrypoint = p), - "ElfHeaderEntrypoint" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.HeaderEntrypoint = p), - "elf.header.object_version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderObjectVersion = p), - "ElfHeaderObjectVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderObjectVersion = p), - "elf.header.os_abi" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderOsAbi = p), - "ElfHeaderOsAbi" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderOsAbi = p), - "elf.header.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderType = p), - "ElfHeaderType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderType = p), - "elf.header.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderVersion = p), - "ElfHeaderVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.HeaderVersion = p), - "elf.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "ElfImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "elf.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "ElfImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "elf.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "ElfImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "elf.telfhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Telfhash = p), - "ElfTelfhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Telfhash = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Elf ?? new Elf(); - var assigned = assign(entity, value); - if (assigned) document.Elf = entity; - return assigned; - } - - public static bool TrySetMacho(IMacho document, string path, object value) - { - Func assign = path switch - { - "macho.go_import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "MachoGoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImportHash = p), - "macho.go_imports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "MachoGoImports" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.GoImports = p), - "macho.go_imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "MachoGoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesEntropy = p), - "macho.go_imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "MachoGoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.GoImportsNamesVarEntropy = p), - "macho.go_stripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "MachoGoStripped" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.GoStripped = p), - "macho.import_hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "MachoImportHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ImportHash = p), - "macho.imports_names_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "MachoImportsNamesEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesEntropy = p), - "macho.imports_names_var_entropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "MachoImportsNamesVarEntropy" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ImportsNamesVarEntropy = p), - "macho.symhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Symhash = p), - "MachoSymhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Symhash = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Macho ?? new Macho(); - var assigned = assign(entity, value); - if (assigned) document.Macho = entity; - return assigned; - } - - public static bool TrySetOs(IOs document, string path, object value) - { - Func assign = path switch - { - "os.family" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Family = p), - "OsFamily" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Family = p), - "os.full" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), - "OsFull" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), - "os.kernel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Kernel = p), - "OsKernel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Kernel = p), - "os.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "OsName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "os.platform" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Platform = p), - "OsPlatform" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Platform = p), - "os.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "OsType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "os.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "OsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Os ?? new Os(); - var assigned = assign(entity, value); - if (assigned) document.Os = entity; - return assigned; - } - - public static bool TrySetRisk(IRisk document, string path, object value) - { - Func assign = path switch - { - "risk.calculated_level" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CalculatedLevel = p), - "RiskCalculatedLevel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CalculatedLevel = p), - "risk.calculated_score" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScore = p), - "RiskCalculatedScore" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScore = p), - "risk.calculated_score_norm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScoreNorm = p), - "RiskCalculatedScoreNorm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.CalculatedScoreNorm = p), - "risk.static_level" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.StaticLevel = p), - "RiskStaticLevel" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.StaticLevel = p), - "risk.static_score" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScore = p), - "RiskStaticScore" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScore = p), - "risk.static_score_norm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScoreNorm = p), - "RiskStaticScoreNorm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScoreNorm = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Risk ?? new Risk(); - var assigned = assign(entity, value); - if (assigned) document.Risk = entity; - return assigned; - } - - public static bool TrySetVlan(IVlan document, string path, object value) - { - Func assign = path switch - { - "vlan.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "VlanId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "vlan.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "VlanName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Vlan ?? new Vlan(); - var assigned = assign(entity, value); - if (assigned) document.Vlan = entity; - return assigned; - } - - public static bool TrySetGroup(IGroup document, string path, object value) - { - Func assign = path switch - { - "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.Group ?? new Group(); - var assigned = assign(entity, value); - if (assigned) document.Group = entity; - return assigned; - } - - public static bool TrySetRealGroup(IRealGroup document, string path, object value) - { - Func assign = path switch - { - "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.RealGroup ?? new Group(); - var assigned = assign(entity, value); - if (assigned) document.RealGroup = entity; - return assigned; - } - - public static bool TrySetSavedGroup(ISavedGroup document, string path, object value) - { - Func assign = path switch - { - "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.SavedGroup ?? new Group(); - var assigned = assign(entity, value); - if (assigned) document.SavedGroup = entity; - return assigned; - } - - public static bool TrySetSupplementalGroups(ISupplementalGroups document, string path, object value) - { - Func assign = path switch - { - "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.SupplementalGroups ?? new Group(); - var assigned = assign(entity, value); - if (assigned) document.SupplementalGroups = entity; - return assigned; - } - - public static bool TrySetAttestedGroups(IAttestedGroups document, string path, object value) - { - Func assign = path switch - { - "group.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "GroupDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "group.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "GroupId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "group.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - if (assign == null) return false; - - var entity = document.AttestedGroups ?? new Group(); - var assigned = assign(entity, value); - if (assigned) document.AttestedGroups = entity; - return assigned; - } - - public static bool TrySetEntryMetaSource(IEntryMetaSource document, string path, object value) - { - Func assign = path switch - { - "source.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "SourceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "source.bytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Bytes = p), - "SourceBytes" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Bytes = p), - "source.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "SourceDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "source.ip" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ip = p), - "SourceIp" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Ip = p), - "source.mac" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Mac = p), - "SourceMac" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Mac = p), - "source.nat.ip" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NatIp = p), - "SourceNatIp" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NatIp = p), - "source.nat.port" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NatPort = p), - "SourceNatPort" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.NatPort = p), - "source.packets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Packets = p), - "SourcePackets" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Packets = p), - "source.port" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Port = p), - "SourcePort" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Port = p), - "source.registered_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegisteredDomain = p), - "SourceRegisteredDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegisteredDomain = p), - "source.subdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), - "SourceSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), - "source.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "SourceTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "source.as.number" => static (e, v) => TrySetAs(e, "as.number", v), - "SourceAsNumber" => static (e, v) => TrySetAs(e, "as.number", v), - "source.as.organization.name" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "SourceAsOrganizationName" => static (e, v) => TrySetAs(e, "as.organization.name", v), - "source.geo.city_name" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "SourceGeoCityName" => static (e, v) => TrySetGeo(e, "geo.city_name", v), - "source.geo.continent_code" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "SourceGeoContinentCode" => static (e, v) => TrySetGeo(e, "geo.continent_code", v), - "source.geo.continent_name" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "SourceGeoContinentName" => static (e, v) => TrySetGeo(e, "geo.continent_name", v), - "source.geo.country_iso_code" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "SourceGeoCountryIsoCode" => static (e, v) => TrySetGeo(e, "geo.country_iso_code", v), - "source.geo.country_name" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "SourceGeoCountryName" => static (e, v) => TrySetGeo(e, "geo.country_name", v), - "source.geo.name" => static (e, v) => TrySetGeo(e, "geo.name", v), - "SourceGeoName" => static (e, v) => TrySetGeo(e, "geo.name", v), - "source.geo.postal_code" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "SourceGeoPostalCode" => static (e, v) => TrySetGeo(e, "geo.postal_code", v), - "source.geo.region_iso_code" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "SourceGeoRegionIsoCode" => static (e, v) => TrySetGeo(e, "geo.region_iso_code", v), - "source.geo.region_name" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "SourceGeoRegionName" => static (e, v) => TrySetGeo(e, "geo.region_name", v), - "source.geo.timezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "SourceGeoTimezone" => static (e, v) => TrySetGeo(e, "geo.timezone", v), - "source.user.domain" => static (e, v) => TrySetUser(e, "user.domain", v), - "SourceUserDomain" => static (e, v) => TrySetUser(e, "user.domain", v), - "source.user.email" => static (e, v) => TrySetUser(e, "user.email", v), - "SourceUserEmail" => static (e, v) => TrySetUser(e, "user.email", v), - "source.user.full_name" => static (e, v) => TrySetUser(e, "user.full_name", v), - "SourceUserFullName" => static (e, v) => TrySetUser(e, "user.full_name", v), - "source.user.hash" => static (e, v) => TrySetUser(e, "user.hash", v), - "SourceUserHash" => static (e, v) => TrySetUser(e, "user.hash", v), - "source.user.id" => static (e, v) => TrySetUser(e, "user.id", v), - "SourceUserId" => static (e, v) => TrySetUser(e, "user.id", v), - "source.user.name" => static (e, v) => TrySetUser(e, "user.name", v), - "SourceUserName" => static (e, v) => TrySetUser(e, "user.name", v), - "source.user.group.domain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "SourceUserGroupDomain" => static (e, v) => TrySetUser(e, "user.group.domain", v), - "source.user.group.id" => static (e, v) => TrySetUser(e, "user.group.id", v), - "SourceUserGroupId" => static (e, v) => TrySetUser(e, "user.group.id", v), - "source.user.group.name" => static (e, v) => TrySetUser(e, "user.group.name", v), - "SourceUserGroupName" => static (e, v) => TrySetUser(e, "user.group.name", v), - "source.user.risk.calculated_level" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "SourceUserRiskCalculatedLevel" => static (e, v) => TrySetUser(e, "user.risk.calculated_level", v), - "source.user.risk.calculated_score" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "SourceUserRiskCalculatedScore" => static (e, v) => TrySetUser(e, "user.risk.calculated_score", v), - "source.user.risk.calculated_score_norm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "SourceUserRiskCalculatedScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.calculated_score_norm", v), - "source.user.risk.static_level" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "SourceUserRiskStaticLevel" => static (e, v) => TrySetUser(e, "user.risk.static_level", v), - "source.user.risk.static_score" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "SourceUserRiskStaticScore" => static (e, v) => TrySetUser(e, "user.risk.static_score", v), - "source.user.risk.static_score_norm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "SourceUserRiskStaticScoreNorm" => static (e, v) => TrySetUser(e, "user.risk.static_score_norm", v), - "source.user.user.domain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "SourceUserUserDomain" => static (e, v) => TrySetUser(e, "user.user.domain", v), - "source.user.user.email" => static (e, v) => TrySetUser(e, "user.user.email", v), - "SourceUserUserEmail" => static (e, v) => TrySetUser(e, "user.user.email", v), - "source.user.user.full_name" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "SourceUserUserFullName" => static (e, v) => TrySetUser(e, "user.user.full_name", v), - "source.user.user.hash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "SourceUserUserHash" => static (e, v) => TrySetUser(e, "user.user.hash", v), - "source.user.user.id" => static (e, v) => TrySetUser(e, "user.user.id", v), - "SourceUserUserId" => static (e, v) => TrySetUser(e, "user.user.id", v), - "source.user.user.name" => static (e, v) => TrySetUser(e, "user.user.name", v), - "SourceUserUserName" => static (e, v) => TrySetUser(e, "user.user.name", v), - _ => null - }; - if (assign == null) return false; - - var entity = document.EntryMetaSource ?? new Source(); - var assigned = assign(entity, value); - if (assigned) document.EntryMetaSource = entity; - return assigned; - } - - public static bool TrySetSavedUser(ISavedUser document, string path, object value) - { - Func assign = path switch - { - "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "user.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "UserGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "user.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), - "UserGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), - "user.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), - "UserGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), - "user.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "UserRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "user.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "UserRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "user.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "UserRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "user.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "UserRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "user.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "UserRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "user.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), - "UserRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), - "user.user.domain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), - "UserUserDomain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), - "user.user.email" => static (e, v) => TrySetUserTarget(e, "user.email", v), - "UserUserEmail" => static (e, v) => TrySetUserTarget(e, "user.email", v), - "user.user.full_name" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), - "UserUserFullName" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), - "user.user.hash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), - "UserUserHash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), - "user.user.id" => static (e, v) => TrySetUserTarget(e, "user.id", v), - "UserUserId" => static (e, v) => TrySetUserTarget(e, "user.id", v), - "user.user.name" => static (e, v) => TrySetUserTarget(e, "user.name", v), - "UserUserName" => static (e, v) => TrySetUserTarget(e, "user.name", v), - _ => null - }; - if (assign == null) return false; - - var entity = document.SavedUser ?? new User(); - var assigned = assign(entity, value); - if (assigned) document.SavedUser = entity; - return assigned; - } - - public static bool TrySetRealUser(IRealUser document, string path, object value) - { - Func assign = path switch - { - "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "user.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "UserGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "user.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), - "UserGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), - "user.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), - "UserGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), - "user.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "UserRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "user.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "UserRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "user.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "UserRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "user.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "UserRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "user.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "UserRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "user.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), - "UserRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), - "user.user.domain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), - "UserUserDomain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), - "user.user.email" => static (e, v) => TrySetUserTarget(e, "user.email", v), - "UserUserEmail" => static (e, v) => TrySetUserTarget(e, "user.email", v), - "user.user.full_name" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), - "UserUserFullName" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), - "user.user.hash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), - "UserUserHash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), - "user.user.id" => static (e, v) => TrySetUserTarget(e, "user.id", v), - "UserUserId" => static (e, v) => TrySetUserTarget(e, "user.id", v), - "user.user.name" => static (e, v) => TrySetUserTarget(e, "user.name", v), - "UserUserName" => static (e, v) => TrySetUserTarget(e, "user.name", v), - _ => null - }; - if (assign == null) return false; - - var entity = document.RealUser ?? new User(); - var assigned = assign(entity, value); - if (assigned) document.RealUser = entity; - return assigned; - } - - public static bool TrySetAttestedUser(IAttestedUser document, string path, object value) - { - Func assign = path switch - { - "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "user.group.domain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "UserGroupDomain" => static (e, v) => TrySetGroup(e, "group.domain", v), - "user.group.id" => static (e, v) => TrySetGroup(e, "group.id", v), - "UserGroupId" => static (e, v) => TrySetGroup(e, "group.id", v), - "user.group.name" => static (e, v) => TrySetGroup(e, "group.name", v), - "UserGroupName" => static (e, v) => TrySetGroup(e, "group.name", v), - "user.risk.calculated_level" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "UserRiskCalculatedLevel" => static (e, v) => TrySetRisk(e, "risk.calculated_level", v), - "user.risk.calculated_score" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "UserRiskCalculatedScore" => static (e, v) => TrySetRisk(e, "risk.calculated_score", v), - "user.risk.calculated_score_norm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "UserRiskCalculatedScoreNorm" => static (e, v) => TrySetRisk(e, "risk.calculated_score_norm", v), - "user.risk.static_level" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "UserRiskStaticLevel" => static (e, v) => TrySetRisk(e, "risk.static_level", v), - "user.risk.static_score" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "UserRiskStaticScore" => static (e, v) => TrySetRisk(e, "risk.static_score", v), - "user.risk.static_score_norm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), - "UserRiskStaticScoreNorm" => static (e, v) => TrySetRisk(e, "risk.static_score_norm", v), - "user.user.domain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), - "UserUserDomain" => static (e, v) => TrySetUserTarget(e, "user.domain", v), - "user.user.email" => static (e, v) => TrySetUserTarget(e, "user.email", v), - "UserUserEmail" => static (e, v) => TrySetUserTarget(e, "user.email", v), - "user.user.full_name" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), - "UserUserFullName" => static (e, v) => TrySetUserTarget(e, "user.full_name", v), - "user.user.hash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), - "UserUserHash" => static (e, v) => TrySetUserTarget(e, "user.hash", v), - "user.user.id" => static (e, v) => TrySetUserTarget(e, "user.id", v), - "UserUserId" => static (e, v) => TrySetUserTarget(e, "user.id", v), - "user.user.name" => static (e, v) => TrySetUserTarget(e, "user.name", v), - "UserUserName" => static (e, v) => TrySetUserTarget(e, "user.name", v), + "CloudProjectId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), + "cloud.project.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), + "CloudProjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), + "cloud.provider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), + "CloudProvider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), + "cloud.region" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), + "CloudRegion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), + "cloud.service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), + "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), _ => null }; + return assign; + } + public static bool TrySetCloudTarget(ICloudTarget document, string path, object value) + { + var assign = TryAssignCloudTarget(path); if (assign == null) return false; - var entity = document.AttestedUser ?? new User(); + var entity = document.Target ?? new CloudTarget(); var assigned = assign(entity, value); - if (assigned) document.AttestedUser = entity; + if (assigned) document.Target = entity; return assigned; } - public static bool TrySetParent(IParent document, string path, object value) + public static Func TryAssignProcessParent(string path) { Func assign = path switch { @@ -6619,42 +6522,47 @@ public static bool TrySetParent(IParent document, string path, object value) "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "process.parent.process.args_count" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.args_count", v), - "ProcessParentProcessArgsCount" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.args_count", v), - "process.parent.process.command_line" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.command_line", v), - "ProcessParentProcessCommandLine" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.command_line", v), - "process.parent.process.end" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.end", v), - "ProcessParentProcessEnd" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.end", v), - "process.parent.process.entity_id" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.entity_id", v), - "ProcessParentProcessEntityId" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.entity_id", v), - "process.parent.process.executable" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.executable", v), - "ProcessParentProcessExecutable" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.executable", v), - "process.parent.process.exit_code" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.exit_code", v), - "ProcessParentProcessExitCode" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.exit_code", v), - "process.parent.process.interactive" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.interactive", v), - "ProcessParentProcessInteractive" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.interactive", v), - "process.parent.process.name" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.name", v), - "ProcessParentProcessName" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.name", v), - "process.parent.process.pgid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.pgid", v), - "ProcessParentProcessPgid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.pgid", v), - "process.parent.process.pid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.pid", v), - "ProcessParentProcessPid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.pid", v), - "process.parent.process.start" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.start", v), - "ProcessParentProcessStart" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.start", v), - "process.parent.process.thread.id" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.thread.id", v), - "ProcessParentProcessThreadId" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.thread.id", v), - "process.parent.process.thread.name" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.thread.name", v), - "ProcessParentProcessThreadName" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.thread.name", v), - "process.parent.process.title" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.title", v), - "ProcessParentProcessTitle" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.title", v), - "process.parent.process.uptime" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.uptime", v), - "ProcessParentProcessUptime" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.uptime", v), - "process.parent.process.vpid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.vpid", v), - "ProcessParentProcessVpid" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.vpid", v), - "process.parent.process.working_directory" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.working_directory", v), - "ProcessParentProcessWorkingDirectory" => static (e, v) => TrySetProcessParentGroupLeader(e, "process.working_directory", v), + "parent.group_leader.process.args_count" => static (e, v) => TryAssignProcessParentGroupLeader("process.args_count")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessArgsCount" => static (e, v) => TryAssignProcessParentGroupLeader("process.args_count")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.command_line" => static (e, v) => TryAssignProcessParentGroupLeader("process.command_line")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessCommandLine" => static (e, v) => TryAssignProcessParentGroupLeader("process.command_line")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.end" => static (e, v) => TryAssignProcessParentGroupLeader("process.end")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessEnd" => static (e, v) => TryAssignProcessParentGroupLeader("process.end")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.entity_id" => static (e, v) => TryAssignProcessParentGroupLeader("process.entity_id")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessEntityId" => static (e, v) => TryAssignProcessParentGroupLeader("process.entity_id")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.executable" => static (e, v) => TryAssignProcessParentGroupLeader("process.executable")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessExecutable" => static (e, v) => TryAssignProcessParentGroupLeader("process.executable")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.exit_code" => static (e, v) => TryAssignProcessParentGroupLeader("process.exit_code")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessExitCode" => static (e, v) => TryAssignProcessParentGroupLeader("process.exit_code")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.interactive" => static (e, v) => TryAssignProcessParentGroupLeader("process.interactive")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessInteractive" => static (e, v) => TryAssignProcessParentGroupLeader("process.interactive")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.name" => static (e, v) => TryAssignProcessParentGroupLeader("process.name")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessName" => static (e, v) => TryAssignProcessParentGroupLeader("process.name")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.pgid" => static (e, v) => TryAssignProcessParentGroupLeader("process.pgid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessPgid" => static (e, v) => TryAssignProcessParentGroupLeader("process.pgid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.pid" => static (e, v) => TryAssignProcessParentGroupLeader("process.pid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessPid" => static (e, v) => TryAssignProcessParentGroupLeader("process.pid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.start" => static (e, v) => TryAssignProcessParentGroupLeader("process.start")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessStart" => static (e, v) => TryAssignProcessParentGroupLeader("process.start")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.thread.id" => static (e, v) => TryAssignProcessParentGroupLeader("process.thread.id")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessThreadId" => static (e, v) => TryAssignProcessParentGroupLeader("process.thread.id")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.thread.name" => static (e, v) => TryAssignProcessParentGroupLeader("process.thread.name")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessThreadName" => static (e, v) => TryAssignProcessParentGroupLeader("process.thread.name")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.title" => static (e, v) => TryAssignProcessParentGroupLeader("process.title")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessTitle" => static (e, v) => TryAssignProcessParentGroupLeader("process.title")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.uptime" => static (e, v) => TryAssignProcessParentGroupLeader("process.uptime")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessUptime" => static (e, v) => TryAssignProcessParentGroupLeader("process.uptime")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.vpid" => static (e, v) => TryAssignProcessParentGroupLeader("process.vpid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessVpid" => static (e, v) => TryAssignProcessParentGroupLeader("process.vpid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "parent.group_leader.process.working_directory" => static (e, v) => TryAssignProcessParentGroupLeader("process.working_directory")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), + "ParentGroupLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessParentGroupLeader("process.working_directory")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), _ => null }; + return assign; + } + public static bool TrySetProcessParent(IProcessParent document, string path, object value) + { + var assign = TryAssignProcessParent(path); if (assign == null) return false; var entity = document.Parent ?? new ProcessParent(); @@ -6663,7 +6571,7 @@ public static bool TrySetParent(IParent document, string path, object value) return assigned; } - public static bool TrySetEntryLeader(IEntryLeader document, string path, object value) + public static Func TryAssignProcessEntryLeader(string path) { Func assign = path switch { @@ -6701,76 +6609,81 @@ public static bool TrySetEntryLeader(IEntryLeader document, string path, object "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "process.entry_leader.process.args_count" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.args_count", v), - "ProcessEntryLeaderProcessArgsCount" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.args_count", v), - "process.entry_leader.process.command_line" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.command_line", v), - "ProcessEntryLeaderProcessCommandLine" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.command_line", v), - "process.entry_leader.process.end" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.end", v), - "ProcessEntryLeaderProcessEnd" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.end", v), - "process.entry_leader.process.entity_id" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entity_id", v), - "ProcessEntryLeaderProcessEntityId" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entity_id", v), - "process.entry_leader.process.executable" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.executable", v), - "ProcessEntryLeaderProcessExecutable" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.executable", v), - "process.entry_leader.process.exit_code" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.exit_code", v), - "ProcessEntryLeaderProcessExitCode" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.exit_code", v), - "process.entry_leader.process.interactive" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.interactive", v), - "ProcessEntryLeaderProcessInteractive" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.interactive", v), - "process.entry_leader.process.name" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.name", v), - "ProcessEntryLeaderProcessName" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.name", v), - "process.entry_leader.process.pgid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.pgid", v), - "ProcessEntryLeaderProcessPgid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.pgid", v), - "process.entry_leader.process.pid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.pid", v), - "ProcessEntryLeaderProcessPid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.pid", v), - "process.entry_leader.process.start" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.start", v), - "ProcessEntryLeaderProcessStart" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.start", v), - "process.entry_leader.process.thread.id" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.thread.id", v), - "ProcessEntryLeaderProcessThreadId" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.thread.id", v), - "process.entry_leader.process.thread.name" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.thread.name", v), - "ProcessEntryLeaderProcessThreadName" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.thread.name", v), - "process.entry_leader.process.title" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.title", v), - "ProcessEntryLeaderProcessTitle" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.title", v), - "process.entry_leader.process.uptime" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.uptime", v), - "ProcessEntryLeaderProcessUptime" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.uptime", v), - "process.entry_leader.process.vpid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.vpid", v), - "ProcessEntryLeaderProcessVpid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.vpid", v), - "process.entry_leader.process.working_directory" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.working_directory", v), - "ProcessEntryLeaderProcessWorkingDirectory" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.working_directory", v), - "process.entry_leader.process.entry_leader.parent.process.args_count" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.args_count", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessArgsCount" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.args_count", v), - "process.entry_leader.process.entry_leader.parent.process.command_line" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.command_line", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessCommandLine" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.command_line", v), - "process.entry_leader.process.entry_leader.parent.process.end" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.end", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessEnd" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.end", v), - "process.entry_leader.process.entry_leader.parent.process.entity_id" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.entity_id", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessEntityId" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.entity_id", v), - "process.entry_leader.process.entry_leader.parent.process.executable" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.executable", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessExecutable" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.executable", v), - "process.entry_leader.process.entry_leader.parent.process.exit_code" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.exit_code", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessExitCode" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.exit_code", v), - "process.entry_leader.process.entry_leader.parent.process.interactive" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.interactive", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessInteractive" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.interactive", v), - "process.entry_leader.process.entry_leader.parent.process.name" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.name", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessName" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.name", v), - "process.entry_leader.process.entry_leader.parent.process.pgid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.pgid", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessPgid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.pgid", v), - "process.entry_leader.process.entry_leader.parent.process.pid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.pid", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessPid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.pid", v), - "process.entry_leader.process.entry_leader.parent.process.start" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.start", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessStart" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.start", v), - "process.entry_leader.process.entry_leader.parent.process.thread.id" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.thread.id", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessThreadId" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.thread.id", v), - "process.entry_leader.process.entry_leader.parent.process.thread.name" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.thread.name", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessThreadName" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.thread.name", v), - "process.entry_leader.process.entry_leader.parent.process.title" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.title", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessTitle" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.title", v), - "process.entry_leader.process.entry_leader.parent.process.uptime" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.uptime", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessUptime" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.uptime", v), - "process.entry_leader.process.entry_leader.parent.process.vpid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.vpid", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessVpid" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.vpid", v), - "process.entry_leader.process.entry_leader.parent.process.working_directory" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.working_directory", v), - "ProcessEntryLeaderProcessEntryLeaderParentProcessWorkingDirectory" => static (e, v) => TrySetProcessEntryLeaderParent(e, "process.entry_leader.parent.process.working_directory", v), + "entry_leader.parent.process.args_count" => static (e, v) => TryAssignProcessEntryLeaderParent("process.args_count")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeaderParent("process.args_count")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.command_line" => static (e, v) => TryAssignProcessEntryLeaderParent("process.command_line")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeaderParent("process.command_line")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.end" => static (e, v) => TryAssignProcessEntryLeaderParent("process.end")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessEnd" => static (e, v) => TryAssignProcessEntryLeaderParent("process.end")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.entity_id" => static (e, v) => TryAssignProcessEntryLeaderParent("process.entity_id")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessEntityId" => static (e, v) => TryAssignProcessEntryLeaderParent("process.entity_id")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.executable" => static (e, v) => TryAssignProcessEntryLeaderParent("process.executable")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessExecutable" => static (e, v) => TryAssignProcessEntryLeaderParent("process.executable")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.exit_code" => static (e, v) => TryAssignProcessEntryLeaderParent("process.exit_code")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessExitCode" => static (e, v) => TryAssignProcessEntryLeaderParent("process.exit_code")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.interactive" => static (e, v) => TryAssignProcessEntryLeaderParent("process.interactive")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessInteractive" => static (e, v) => TryAssignProcessEntryLeaderParent("process.interactive")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.name" => static (e, v) => TryAssignProcessEntryLeaderParent("process.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessName" => static (e, v) => TryAssignProcessEntryLeaderParent("process.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.pgid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.pgid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessPgid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.pgid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.pid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.pid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessPid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.pid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.start" => static (e, v) => TryAssignProcessEntryLeaderParent("process.start")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessStart" => static (e, v) => TryAssignProcessEntryLeaderParent("process.start")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.thread.id" => static (e, v) => TryAssignProcessEntryLeaderParent("process.thread.id")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessThreadId" => static (e, v) => TryAssignProcessEntryLeaderParent("process.thread.id")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.thread.name" => static (e, v) => TryAssignProcessEntryLeaderParent("process.thread.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessThreadName" => static (e, v) => TryAssignProcessEntryLeaderParent("process.thread.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.title" => static (e, v) => TryAssignProcessEntryLeaderParent("process.title")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessTitle" => static (e, v) => TryAssignProcessEntryLeaderParent("process.title")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.uptime" => static (e, v) => TryAssignProcessEntryLeaderParent("process.uptime")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessUptime" => static (e, v) => TryAssignProcessEntryLeaderParent("process.uptime")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.vpid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.vpid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessVpid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.vpid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "entry_leader.parent.process.working_directory" => static (e, v) => TryAssignProcessEntryLeaderParent("process.working_directory")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "EntryLeaderParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeaderParent("process.working_directory")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.args_count")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.args_count")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.command_line")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.command_line")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.end")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.end")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.entity_id")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.entity_id")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.executable")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.executable")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.exit_code")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.exit_code")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.interactive")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.interactive")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.pgid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.pgid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.pid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.pid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.start")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.start")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.thread.id")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.thread.id")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.thread.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.thread.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.title")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.title")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.uptime")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.uptime")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.vpid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.vpid")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "process.parent.entry_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.working_directory")(e.Parent ?? new ProcessEntryLeaderParent(),v), + "ProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.working_directory")(e.Parent ?? new ProcessEntryLeaderParent(),v), _ => null }; + return assign; + } + public static bool TrySetProcessEntryLeader(IProcessEntryLeader document, string path, object value) + { + var assign = TryAssignProcessEntryLeader(path); if (assign == null) return false; var entity = document.EntryLeader ?? new ProcessEntryLeader(); @@ -6779,7 +6692,7 @@ public static bool TrySetEntryLeader(IEntryLeader document, string path, object return assigned; } - public static bool TrySetSessionLeader(ISessionLeader document, string path, object value) + public static Func TryAssignProcessSessionLeader(string path) { Func assign = path switch { @@ -6817,76 +6730,81 @@ public static bool TrySetSessionLeader(ISessionLeader document, string path, obj "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "process.session_leader.process.args_count" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.args_count", v), - "ProcessSessionLeaderProcessArgsCount" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.args_count", v), - "process.session_leader.process.command_line" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.command_line", v), - "ProcessSessionLeaderProcessCommandLine" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.command_line", v), - "process.session_leader.process.end" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.end", v), - "ProcessSessionLeaderProcessEnd" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.end", v), - "process.session_leader.process.entity_id" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.entity_id", v), - "ProcessSessionLeaderProcessEntityId" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.entity_id", v), - "process.session_leader.process.executable" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.executable", v), - "ProcessSessionLeaderProcessExecutable" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.executable", v), - "process.session_leader.process.exit_code" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.exit_code", v), - "ProcessSessionLeaderProcessExitCode" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.exit_code", v), - "process.session_leader.process.interactive" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.interactive", v), - "ProcessSessionLeaderProcessInteractive" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.interactive", v), - "process.session_leader.process.name" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.name", v), - "ProcessSessionLeaderProcessName" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.name", v), - "process.session_leader.process.pgid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.pgid", v), - "ProcessSessionLeaderProcessPgid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.pgid", v), - "process.session_leader.process.pid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.pid", v), - "ProcessSessionLeaderProcessPid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.pid", v), - "process.session_leader.process.start" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.start", v), - "ProcessSessionLeaderProcessStart" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.start", v), - "process.session_leader.process.thread.id" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.thread.id", v), - "ProcessSessionLeaderProcessThreadId" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.thread.id", v), - "process.session_leader.process.thread.name" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.thread.name", v), - "ProcessSessionLeaderProcessThreadName" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.thread.name", v), - "process.session_leader.process.title" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.title", v), - "ProcessSessionLeaderProcessTitle" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.title", v), - "process.session_leader.process.uptime" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.uptime", v), - "ProcessSessionLeaderProcessUptime" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.uptime", v), - "process.session_leader.process.vpid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.vpid", v), - "ProcessSessionLeaderProcessVpid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.vpid", v), - "process.session_leader.process.working_directory" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.working_directory", v), - "ProcessSessionLeaderProcessWorkingDirectory" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.working_directory", v), - "process.session_leader.process.session_leader.parent.process.args_count" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.args_count", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessArgsCount" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.args_count", v), - "process.session_leader.process.session_leader.parent.process.command_line" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.command_line", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessCommandLine" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.command_line", v), - "process.session_leader.process.session_leader.parent.process.end" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.end", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessEnd" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.end", v), - "process.session_leader.process.session_leader.parent.process.entity_id" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.entity_id", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessEntityId" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.entity_id", v), - "process.session_leader.process.session_leader.parent.process.executable" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.executable", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessExecutable" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.executable", v), - "process.session_leader.process.session_leader.parent.process.exit_code" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.exit_code", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessExitCode" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.exit_code", v), - "process.session_leader.process.session_leader.parent.process.interactive" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.interactive", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessInteractive" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.interactive", v), - "process.session_leader.process.session_leader.parent.process.name" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.name", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessName" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.name", v), - "process.session_leader.process.session_leader.parent.process.pgid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.pgid", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessPgid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.pgid", v), - "process.session_leader.process.session_leader.parent.process.pid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.pid", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessPid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.pid", v), - "process.session_leader.process.session_leader.parent.process.start" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.start", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessStart" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.start", v), - "process.session_leader.process.session_leader.parent.process.thread.id" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.thread.id", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessThreadId" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.thread.id", v), - "process.session_leader.process.session_leader.parent.process.thread.name" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.thread.name", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessThreadName" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.thread.name", v), - "process.session_leader.process.session_leader.parent.process.title" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.title", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessTitle" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.title", v), - "process.session_leader.process.session_leader.parent.process.uptime" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.uptime", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessUptime" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.uptime", v), - "process.session_leader.process.session_leader.parent.process.vpid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.vpid", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessVpid" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.vpid", v), - "process.session_leader.process.session_leader.parent.process.working_directory" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.working_directory", v), - "ProcessSessionLeaderProcessSessionLeaderParentProcessWorkingDirectory" => static (e, v) => TrySetProcessSessionLeaderParent(e, "process.session_leader.parent.process.working_directory", v), + "session_leader.parent.process.args_count" => static (e, v) => TryAssignProcessSessionLeaderParent("process.args_count")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeaderParent("process.args_count")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.command_line" => static (e, v) => TryAssignProcessSessionLeaderParent("process.command_line")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeaderParent("process.command_line")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.end" => static (e, v) => TryAssignProcessSessionLeaderParent("process.end")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessEnd" => static (e, v) => TryAssignProcessSessionLeaderParent("process.end")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.entity_id" => static (e, v) => TryAssignProcessSessionLeaderParent("process.entity_id")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessEntityId" => static (e, v) => TryAssignProcessSessionLeaderParent("process.entity_id")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.executable" => static (e, v) => TryAssignProcessSessionLeaderParent("process.executable")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessExecutable" => static (e, v) => TryAssignProcessSessionLeaderParent("process.executable")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.exit_code" => static (e, v) => TryAssignProcessSessionLeaderParent("process.exit_code")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessExitCode" => static (e, v) => TryAssignProcessSessionLeaderParent("process.exit_code")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.interactive" => static (e, v) => TryAssignProcessSessionLeaderParent("process.interactive")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessInteractive" => static (e, v) => TryAssignProcessSessionLeaderParent("process.interactive")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.name" => static (e, v) => TryAssignProcessSessionLeaderParent("process.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessName" => static (e, v) => TryAssignProcessSessionLeaderParent("process.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.pgid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.pgid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessPgid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.pgid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.pid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.pid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessPid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.pid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.start" => static (e, v) => TryAssignProcessSessionLeaderParent("process.start")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessStart" => static (e, v) => TryAssignProcessSessionLeaderParent("process.start")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.thread.id" => static (e, v) => TryAssignProcessSessionLeaderParent("process.thread.id")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessThreadId" => static (e, v) => TryAssignProcessSessionLeaderParent("process.thread.id")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.thread.name" => static (e, v) => TryAssignProcessSessionLeaderParent("process.thread.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessThreadName" => static (e, v) => TryAssignProcessSessionLeaderParent("process.thread.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.title" => static (e, v) => TryAssignProcessSessionLeaderParent("process.title")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessTitle" => static (e, v) => TryAssignProcessSessionLeaderParent("process.title")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.uptime" => static (e, v) => TryAssignProcessSessionLeaderParent("process.uptime")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessUptime" => static (e, v) => TryAssignProcessSessionLeaderParent("process.uptime")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.vpid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.vpid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessVpid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.vpid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "session_leader.parent.process.working_directory" => static (e, v) => TryAssignProcessSessionLeaderParent("process.working_directory")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "SessionLeaderParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeaderParent("process.working_directory")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.args_count")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.args_count")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.command_line")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.command_line")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.end")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.end")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.entity_id")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.entity_id")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.executable")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.executable")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.exit_code")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.exit_code")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.interactive")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.interactive")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.pgid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.pgid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.pid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.pid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.start")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.start")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.thread.id")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.thread.id")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.thread.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.thread.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.title")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.title")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.uptime")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.uptime")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.vpid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.vpid")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "process.parent.session_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.working_directory")(e.Parent ?? new ProcessSessionLeaderParent(),v), + "ProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.working_directory")(e.Parent ?? new ProcessSessionLeaderParent(),v), _ => null }; + return assign; + } + public static bool TrySetProcessSessionLeader(IProcessSessionLeader document, string path, object value) + { + var assign = TryAssignProcessSessionLeader(path); if (assign == null) return false; var entity = document.SessionLeader ?? new ProcessSessionLeader(); @@ -6895,7 +6813,7 @@ public static bool TrySetSessionLeader(ISessionLeader document, string path, obj return assigned; } - public static bool TrySetGroupLeader(IGroupLeader document, string path, object value) + public static Func TryAssignProcessGroupLeader(string path) { Func assign = path switch { @@ -6935,6 +6853,11 @@ public static bool TrySetGroupLeader(IGroupLeader document, string path, object "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), _ => null }; + return assign; + } + public static bool TrySetProcessGroupLeader(IProcessGroupLeader document, string path, object value) + { + var assign = TryAssignProcessGroupLeader(path); if (assign == null) return false; var entity = document.GroupLeader ?? new ProcessGroupLeader(); @@ -6943,9 +6866,9 @@ public static bool TrySetGroupLeader(IGroupLeader document, string path, object return assigned; } - public static bool TrySetPrevious(IPrevious document, string path, object value) + public static Func TryAssignProcessParentGroupLeader(string path) { - Func assign = path switch + Func assign = path switch { "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), @@ -6983,513 +6906,421 @@ public static bool TrySetPrevious(IPrevious document, string path, object value) "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), _ => null }; - if (assign == null) return false; - - var entity = document.Previous ?? new ProcessPrevious(); - var assigned = assign(entity, value); - if (assigned) document.Previous = entity; - return assigned; + return assign; } - - public static bool TrySetOrigin(IOrigin document, string path, object value) + public static bool TrySetProcessParentGroupLeader(IProcessParentGroupLeader document, string path, object value) { - Func assign = path switch - { - "service.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "ServiceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "service.environment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), - "ServiceEnvironment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), - "service.ephemeral_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), - "ServiceEphemeralId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), - "service.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "ServiceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "service.node.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), - "ServiceNodeName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), - "service.node.role" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), - "ServiceNodeRole" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), - "service.state" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), - "ServiceState" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), - "service.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - _ => null - }; + var assign = TryAssignProcessParentGroupLeader(path); if (assign == null) return false; - var entity = document.Origin ?? new ServiceOrigin(); + var entity = document.GroupLeader ?? new ProcessParentGroupLeader(); var assigned = assign(entity, value); - if (assigned) document.Origin = entity; + if (assigned) document.GroupLeader = entity; return assigned; } - public static bool TrySetTarget(ITarget document, string path, object value) + public static Func TryAssignProcessEntryLeaderParent(string path) { - Func assign = path switch + Func assign = path switch { - "service.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "ServiceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "service.environment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), - "ServiceEnvironment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), - "service.ephemeral_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), - "ServiceEphemeralId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), - "service.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "ServiceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "service.node.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), - "ServiceNodeName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), - "service.node.role" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), - "ServiceNodeRole" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), - "service.state" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), - "ServiceState" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), - "service.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "entry_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.args_count")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.args_count")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.command_line")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.command_line")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.end")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.end")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.entity_id")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.entity_id")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.executable")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.executable")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.exit_code")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.exit_code")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.interactive")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.interactive")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.name")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.name")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.pgid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.pgid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.pid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.pid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.start")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.start")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.thread.id")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.thread.id")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.thread.name")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.thread.name")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.title")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.title")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.uptime")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.uptime")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.vpid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.vpid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "entry_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.working_directory")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), + "EntryLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.working_directory")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), _ => null }; - if (assign == null) return false; - - var entity = document.Target ?? new ServiceTarget(); - var assigned = assign(entity, value); - if (assigned) document.Target = entity; - return assigned; + return assign; } - - public static bool TrySetIndicatorX509(IIndicatorX509 document, string path, object value) + public static bool TrySetProcessEntryLeaderParent(IProcessEntryLeaderParent document, string path, object value) { - Func assign = path switch - { - "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), - "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), - _ => null - }; + var assign = TryAssignProcessEntryLeaderParent(path); if (assign == null) return false; - var entity = document.IndicatorX509 ?? new X509(); + var entity = document.Parent ?? new ProcessEntryLeaderParent(); var assigned = assign(entity, value); - if (assigned) document.IndicatorX509 = entity; + if (assigned) document.Parent = entity; return assigned; } - public static bool TrySetIndicatorAs(IIndicatorAs document, string path, object value) + public static Func TryAssignProcessSessionLeaderParent(string path) { - Func assign = path switch + Func assign = path switch { - "as.number" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), - "AsNumber" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Number = p), - "as.organization.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), - "AsOrganizationName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "session_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.args_count")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.args_count")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.command_line")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.command_line")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.end")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.end")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.entity_id")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.entity_id")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.executable")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.executable")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.exit_code")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.exit_code")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.interactive")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.interactive")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.name")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.name")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.pgid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.pgid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.pid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.pid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.start")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.start")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.thread.id")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.thread.id")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.thread.name")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.thread.name")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.title")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.title")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.uptime")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.uptime")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.vpid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.vpid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "session_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.working_directory")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), + "SessionLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.working_directory")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), _ => null }; + return assign; + } + public static bool TrySetProcessSessionLeaderParent(IProcessSessionLeaderParent document, string path, object value) + { + var assign = TryAssignProcessSessionLeaderParent(path); if (assign == null) return false; - var entity = document.IndicatorAs ?? new As(); + var entity = document.Parent ?? new ProcessSessionLeaderParent(); var assigned = assign(entity, value); - if (assigned) document.IndicatorAs = entity; + if (assigned) document.Parent = entity; return assigned; } - public static bool TrySetIndicatorFile(IIndicatorFile document, string path, object value) + public static Func TryAssignProcessEntryLeaderParentSessionLeader(string path) { - Func assign = path switch + Func assign = path switch { - "file.accessed" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Accessed = p), - "FileAccessed" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Accessed = p), - "file.created" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Created = p), - "FileCreated" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Created = p), - "file.ctime" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Ctime = p), - "FileCtime" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Ctime = p), - "file.device" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Device = p), - "FileDevice" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Device = p), - "file.directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Directory = p), - "FileDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Directory = p), - "file.drive_letter" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DriveLetter = p), - "FileDriveLetter" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DriveLetter = p), - "file.extension" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Extension = p), - "FileExtension" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Extension = p), - "file.fork_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ForkName = p), - "FileForkName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ForkName = p), - "file.gid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Gid = p), - "FileGid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Gid = p), - "file.group" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Group = p), - "FileGroup" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Group = p), - "file.inode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Inode = p), - "FileInode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Inode = p), - "file.mime_type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MimeType = p), - "FileMimeType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MimeType = p), - "file.mode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Mode = p), - "FileMode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Mode = p), - "file.mtime" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Mtime = p), - "FileMtime" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Mtime = p), - "file.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "FileName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "file.owner" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Owner = p), - "FileOwner" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Owner = p), - "file.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), - "FilePath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), - "file.size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Size = p), - "FileSize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Size = p), - "file.target_path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TargetPath = p), - "FileTargetPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TargetPath = p), - "file.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "FileType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "file.uid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), - "FileUid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), - "file.hash.md5" => static (e, v) => TrySetHash(e, "hash.md5", v), - "FileHashMd5" => static (e, v) => TrySetHash(e, "hash.md5", v), - "file.hash.sha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), - "FileHashSha1" => static (e, v) => TrySetHash(e, "hash.sha1", v), - "file.hash.sha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), - "FileHashSha256" => static (e, v) => TrySetHash(e, "hash.sha256", v), - "file.hash.sha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), - "FileHashSha384" => static (e, v) => TrySetHash(e, "hash.sha384", v), - "file.hash.sha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), - "FileHashSha512" => static (e, v) => TrySetHash(e, "hash.sha512", v), - "file.hash.ssdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), - "FileHashSsdeep" => static (e, v) => TrySetHash(e, "hash.ssdeep", v), - "file.hash.tlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), - "FileHashTlsh" => static (e, v) => TrySetHash(e, "hash.tlsh", v), - "file.pe.architecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), - "FilePeArchitecture" => static (e, v) => TrySetPe(e, "pe.architecture", v), - "file.pe.company" => static (e, v) => TrySetPe(e, "pe.company", v), - "FilePeCompany" => static (e, v) => TrySetPe(e, "pe.company", v), - "file.pe.description" => static (e, v) => TrySetPe(e, "pe.description", v), - "FilePeDescription" => static (e, v) => TrySetPe(e, "pe.description", v), - "file.pe.file_version" => static (e, v) => TrySetPe(e, "pe.file_version", v), - "FilePeFileVersion" => static (e, v) => TrySetPe(e, "pe.file_version", v), - "file.pe.go_import_hash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), - "FilePeGoImportHash" => static (e, v) => TrySetPe(e, "pe.go_import_hash", v), - "file.pe.go_imports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), - "FilePeGoImports" => static (e, v) => TrySetPe(e, "pe.go_imports", v), - "file.pe.go_imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), - "FilePeGoImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_entropy", v), - "file.pe.go_imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), - "FilePeGoImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.go_imports_names_var_entropy", v), - "file.pe.go_stripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), - "FilePeGoStripped" => static (e, v) => TrySetPe(e, "pe.go_stripped", v), - "file.pe.imphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), - "FilePeImphash" => static (e, v) => TrySetPe(e, "pe.imphash", v), - "file.pe.import_hash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), - "FilePeImportHash" => static (e, v) => TrySetPe(e, "pe.import_hash", v), - "file.pe.imports_names_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), - "FilePeImportsNamesEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_entropy", v), - "file.pe.imports_names_var_entropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), - "FilePeImportsNamesVarEntropy" => static (e, v) => TrySetPe(e, "pe.imports_names_var_entropy", v), - "file.pe.original_file_name" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), - "FilePeOriginalFileName" => static (e, v) => TrySetPe(e, "pe.original_file_name", v), - "file.pe.pehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), - "FilePePehash" => static (e, v) => TrySetPe(e, "pe.pehash", v), - "file.pe.product" => static (e, v) => TrySetPe(e, "pe.product", v), - "FilePeProduct" => static (e, v) => TrySetPe(e, "pe.product", v), - "file.x509.issuer.distinguished_name" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), - "FileX509IssuerDistinguishedName" => static (e, v) => TrySetX509(e, "x509.issuer.distinguished_name", v), - "file.x509.not_after" => static (e, v) => TrySetX509(e, "x509.not_after", v), - "FileX509NotAfter" => static (e, v) => TrySetX509(e, "x509.not_after", v), - "file.x509.not_before" => static (e, v) => TrySetX509(e, "x509.not_before", v), - "FileX509NotBefore" => static (e, v) => TrySetX509(e, "x509.not_before", v), - "file.x509.public_key_algorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), - "FileX509PublicKeyAlgorithm" => static (e, v) => TrySetX509(e, "x509.public_key_algorithm", v), - "file.x509.public_key_curve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), - "FileX509PublicKeyCurve" => static (e, v) => TrySetX509(e, "x509.public_key_curve", v), - "file.x509.public_key_exponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), - "FileX509PublicKeyExponent" => static (e, v) => TrySetX509(e, "x509.public_key_exponent", v), - "file.x509.public_key_size" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), - "FileX509PublicKeySize" => static (e, v) => TrySetX509(e, "x509.public_key_size", v), - "file.x509.serial_number" => static (e, v) => TrySetX509(e, "x509.serial_number", v), - "FileX509SerialNumber" => static (e, v) => TrySetX509(e, "x509.serial_number", v), - "file.x509.signature_algorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), - "FileX509SignatureAlgorithm" => static (e, v) => TrySetX509(e, "x509.signature_algorithm", v), - "file.x509.subject.distinguished_name" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), - "FileX509SubjectDistinguishedName" => static (e, v) => TrySetX509(e, "x509.subject.distinguished_name", v), - "file.x509.version_number" => static (e, v) => TrySetX509(e, "x509.version_number", v), - "FileX509VersionNumber" => static (e, v) => TrySetX509(e, "x509.version_number", v), - "file.code_signature.digest_algorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), - "FileCodeSignatureDigestAlgorithm" => static (e, v) => TrySetCodeSignature(e, "code_signature.digest_algorithm", v), - "file.code_signature.exists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), - "FileCodeSignatureExists" => static (e, v) => TrySetCodeSignature(e, "code_signature.exists", v), - "file.code_signature.signing_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), - "FileCodeSignatureSigningId" => static (e, v) => TrySetCodeSignature(e, "code_signature.signing_id", v), - "file.code_signature.status" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), - "FileCodeSignatureStatus" => static (e, v) => TrySetCodeSignature(e, "code_signature.status", v), - "file.code_signature.subject_name" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), - "FileCodeSignatureSubjectName" => static (e, v) => TrySetCodeSignature(e, "code_signature.subject_name", v), - "file.code_signature.team_id" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), - "FileCodeSignatureTeamId" => static (e, v) => TrySetCodeSignature(e, "code_signature.team_id", v), - "file.code_signature.timestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), - "FileCodeSignatureTimestamp" => static (e, v) => TrySetCodeSignature(e, "code_signature.timestamp", v), - "file.code_signature.trusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), - "FileCodeSignatureTrusted" => static (e, v) => TrySetCodeSignature(e, "code_signature.trusted", v), - "file.code_signature.valid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), - "FileCodeSignatureValid" => static (e, v) => TrySetCodeSignature(e, "code_signature.valid", v), - "file.elf.architecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), - "FileElfArchitecture" => static (e, v) => TrySetElf(e, "elf.architecture", v), - "file.elf.byte_order" => static (e, v) => TrySetElf(e, "elf.byte_order", v), - "FileElfByteOrder" => static (e, v) => TrySetElf(e, "elf.byte_order", v), - "file.elf.cpu_type" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), - "FileElfCpuType" => static (e, v) => TrySetElf(e, "elf.cpu_type", v), - "file.elf.creation_date" => static (e, v) => TrySetElf(e, "elf.creation_date", v), - "FileElfCreationDate" => static (e, v) => TrySetElf(e, "elf.creation_date", v), - "file.elf.go_import_hash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), - "FileElfGoImportHash" => static (e, v) => TrySetElf(e, "elf.go_import_hash", v), - "file.elf.go_imports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), - "FileElfGoImports" => static (e, v) => TrySetElf(e, "elf.go_imports", v), - "file.elf.go_imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), - "FileElfGoImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_entropy", v), - "file.elf.go_imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), - "FileElfGoImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.go_imports_names_var_entropy", v), - "file.elf.go_stripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), - "FileElfGoStripped" => static (e, v) => TrySetElf(e, "elf.go_stripped", v), - "file.elf.header.abi_version" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), - "FileElfHeaderAbiVersion" => static (e, v) => TrySetElf(e, "elf.header.abi_version", v), - "file.elf.header.class" => static (e, v) => TrySetElf(e, "elf.header.class", v), - "FileElfHeaderClass" => static (e, v) => TrySetElf(e, "elf.header.class", v), - "file.elf.header.data" => static (e, v) => TrySetElf(e, "elf.header.data", v), - "FileElfHeaderData" => static (e, v) => TrySetElf(e, "elf.header.data", v), - "file.elf.header.entrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), - "FileElfHeaderEntrypoint" => static (e, v) => TrySetElf(e, "elf.header.entrypoint", v), - "file.elf.header.object_version" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), - "FileElfHeaderObjectVersion" => static (e, v) => TrySetElf(e, "elf.header.object_version", v), - "file.elf.header.os_abi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), - "FileElfHeaderOsAbi" => static (e, v) => TrySetElf(e, "elf.header.os_abi", v), - "file.elf.header.type" => static (e, v) => TrySetElf(e, "elf.header.type", v), - "FileElfHeaderType" => static (e, v) => TrySetElf(e, "elf.header.type", v), - "file.elf.header.version" => static (e, v) => TrySetElf(e, "elf.header.version", v), - "FileElfHeaderVersion" => static (e, v) => TrySetElf(e, "elf.header.version", v), - "file.elf.import_hash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), - "FileElfImportHash" => static (e, v) => TrySetElf(e, "elf.import_hash", v), - "file.elf.imports_names_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), - "FileElfImportsNamesEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_entropy", v), - "file.elf.imports_names_var_entropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), - "FileElfImportsNamesVarEntropy" => static (e, v) => TrySetElf(e, "elf.imports_names_var_entropy", v), - "file.elf.telfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), - "FileElfTelfhash" => static (e, v) => TrySetElf(e, "elf.telfhash", v), - "file.macho.go_import_hash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), - "FileMachoGoImportHash" => static (e, v) => TrySetMacho(e, "macho.go_import_hash", v), - "file.macho.go_imports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), - "FileMachoGoImports" => static (e, v) => TrySetMacho(e, "macho.go_imports", v), - "file.macho.go_imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), - "FileMachoGoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_entropy", v), - "file.macho.go_imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), - "FileMachoGoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.go_imports_names_var_entropy", v), - "file.macho.go_stripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), - "FileMachoGoStripped" => static (e, v) => TrySetMacho(e, "macho.go_stripped", v), - "file.macho.import_hash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), - "FileMachoImportHash" => static (e, v) => TrySetMacho(e, "macho.import_hash", v), - "file.macho.imports_names_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), - "FileMachoImportsNamesEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_entropy", v), - "file.macho.imports_names_var_entropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), - "FileMachoImportsNamesVarEntropy" => static (e, v) => TrySetMacho(e, "macho.imports_names_var_entropy", v), - "file.macho.symhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), - "FileMachoSymhash" => static (e, v) => TrySetMacho(e, "macho.symhash", v), + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), _ => null }; - if (assign == null) return false; - - var entity = document.IndicatorFile ?? new File(); - var assigned = assign(entity, value); - if (assigned) document.IndicatorFile = entity; - return assigned; + return assign; } - - public static bool TrySetIndicatorGeo(IIndicatorGeo document, string path, object value) + public static bool TrySetProcessEntryLeaderParentSessionLeader(IProcessEntryLeaderParentSessionLeader document, string path, object value) { - Func assign = path switch - { - "geo.city_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), - "GeoCityName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CityName = p), - "geo.continent_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), - "GeoContinentCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentCode = p), - "geo.continent_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), - "GeoContinentName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ContinentName = p), - "geo.country_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), - "GeoCountryIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), - "geo.country_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), - "GeoCountryName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), - "geo.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "GeoName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "geo.postal_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), - "GeoPostalCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), - "geo.region_iso_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), - "GeoRegionIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionIsoCode = p), - "geo.region_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), - "GeoRegionName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegionName = p), - "geo.timezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), - "GeoTimezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), - _ => null - }; + var assign = TryAssignProcessEntryLeaderParentSessionLeader(path); if (assign == null) return false; - var entity = document.IndicatorGeo ?? new Geo(); + var entity = document.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(); var assigned = assign(entity, value); - if (assigned) document.IndicatorGeo = entity; + if (assigned) document.SessionLeader = entity; return assigned; } - public static bool TrySetIndicatorRegistry(IIndicatorRegistry document, string path, object value) + public static Func TryAssignProcessSessionLeaderParentSessionLeader(string path) { - Func assign = path switch + Func assign = path switch { - "registry.data.bytes" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DataBytes = p), - "RegistryDataBytes" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DataBytes = p), - "registry.data.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DataType = p), - "RegistryDataType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.DataType = p), - "registry.hive" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hive = p), - "RegistryHive" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hive = p), - "registry.key" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Key = p), - "RegistryKey" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Key = p), - "registry.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), - "RegistryPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), - "registry.value" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Value = p), - "RegistryValue" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Value = p), + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), _ => null }; + return assign; + } + public static bool TrySetProcessSessionLeaderParentSessionLeader(IProcessSessionLeaderParentSessionLeader document, string path, object value) + { + var assign = TryAssignProcessSessionLeaderParentSessionLeader(path); if (assign == null) return false; - var entity = document.IndicatorRegistry ?? new Registry(); + var entity = document.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(); var assigned = assign(entity, value); - if (assigned) document.IndicatorRegistry = entity; + if (assigned) document.SessionLeader = entity; return assigned; } - public static bool TrySetIndicatorUrl(IIndicatorUrl document, string path, object value) + public static Func TryAssignProcessPrevious(string path) { - Func assign = path switch + Func assign = path switch { - "url.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "UrlDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "url.extension" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Extension = p), - "UrlExtension" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Extension = p), - "url.fragment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Fragment = p), - "UrlFragment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Fragment = p), - "url.full" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), - "UrlFull" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Full = p), - "url.original" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Original = p), - "UrlOriginal" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Original = p), - "url.password" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Password = p), - "UrlPassword" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Password = p), - "url.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), - "UrlPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), - "url.port" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Port = p), - "UrlPort" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Port = p), - "url.query" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Query = p), - "UrlQuery" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Query = p), - "url.registered_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegisteredDomain = p), - "UrlRegisteredDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.RegisteredDomain = p), - "url.scheme" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Scheme = p), - "UrlScheme" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Scheme = p), - "url.subdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), - "UrlSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), - "url.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "UrlTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "url.username" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Username = p), - "UrlUsername" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Username = p), + "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), + "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), + "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), + "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), + "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), + "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), + "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), + "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), + "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), + "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), + "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), + "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), + "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), + "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), + "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), _ => null }; - if (assign == null) return false; - - var entity = document.IndicatorUrl ?? new Url(); - var assigned = assign(entity, value); - if (assigned) document.IndicatorUrl = entity; - return assigned; + return assign; } - public static bool TrySetClientX509(IClientX509 document, string path, object value) + public static Func TryAssignServiceOrigin(string path) { - Func assign = path switch + Func assign = path switch { - "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), - "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + "service.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "ServiceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "service.environment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), + "ServiceEnvironment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), + "service.ephemeral_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), + "ServiceEphemeralId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), + "service.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "ServiceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "service.node.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), + "ServiceNodeName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), + "service.node.role" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), + "ServiceNodeRole" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), + "service.state" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), + "ServiceState" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), + "service.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetServiceOrigin(IServiceOrigin document, string path, object value) + { + var assign = TryAssignServiceOrigin(path); if (assign == null) return false; - var entity = document.ClientX509 ?? new X509(); + var entity = document.Origin ?? new ServiceOrigin(); var assigned = assign(entity, value); - if (assigned) document.ClientX509 = entity; + if (assigned) document.Origin = entity; return assigned; } - public static bool TrySetServerX509(IServerX509 document, string path, object value) + public static Func TryAssignServiceTarget(string path) { - Func assign = path switch + Func assign = path switch { - "x509.issuer.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "X509IssuerDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.IssuerDistinguishedName = p), - "x509.not_after" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "X509NotAfter" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotAfter = p), - "x509.not_before" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "X509NotBefore" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.NotBefore = p), - "x509.public_key_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "X509PublicKeyAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyAlgorithm = p), - "x509.public_key_curve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "X509PublicKeyCurve" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PublicKeyCurve = p), - "x509.public_key_exponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "X509PublicKeyExponent" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeyExponent = p), - "x509.public_key_size" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "X509PublicKeySize" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.PublicKeySize = p), - "x509.serial_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "X509SerialNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SerialNumber = p), - "x509.signature_algorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "X509SignatureAlgorithm" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SignatureAlgorithm = p), - "x509.subject.distinguished_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "X509SubjectDistinguishedName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SubjectDistinguishedName = p), - "x509.version_number" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), - "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), + "service.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "ServiceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), + "service.environment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), + "ServiceEnvironment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), + "service.ephemeral_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), + "ServiceEphemeralId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), + "service.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "ServiceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), + "service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "ServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "service.node.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), + "ServiceNodeName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), + "service.node.role" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), + "ServiceNodeRole" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), + "service.state" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), + "ServiceState" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), + "service.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetServiceTarget(IServiceTarget document, string path, object value) + { + var assign = TryAssignServiceTarget(path); if (assign == null) return false; - var entity = document.ServerX509 ?? new X509(); + var entity = document.Target ?? new ServiceTarget(); var assigned = assign(entity, value); - if (assigned) document.ServerX509 = entity; + if (assigned) document.Target = entity; return assigned; } - public static bool TrySetTarget(ITarget document, string path, object value) + public static Func TryAssignUserTarget(string path) { Func assign = path switch { @@ -7507,6 +7338,11 @@ public static bool TrySetTarget(ITarget document, string path, object value) "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), _ => null }; + return assign; + } + public static bool TrySetUserTarget(IUserTarget document, string path, object value) + { + var assign = TryAssignUserTarget(path); if (assign == null) return false; var entity = document.Target ?? new UserTarget(); @@ -7515,7 +7351,7 @@ public static bool TrySetTarget(ITarget document, string path, object value) return assigned; } - public static bool TrySetEffective(IEffective document, string path, object value) + public static Func TryAssignUserEffective(string path) { Func assign = path switch { @@ -7533,6 +7369,11 @@ public static bool TrySetEffective(IEffective document, string path, object valu "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), _ => null }; + return assign; + } + public static bool TrySetUserEffective(IUserEffective document, string path, object value) + { + var assign = TryAssignUserEffective(path); if (assign == null) return false; var entity = document.Effective ?? new UserEffective(); @@ -7541,7 +7382,7 @@ public static bool TrySetEffective(IEffective document, string path, object valu return assigned; } - public static bool TrySetChanges(IChanges document, string path, object value) + public static Func TryAssignUserChanges(string path) { Func assign = path switch { @@ -7559,6 +7400,11 @@ public static bool TrySetChanges(IChanges document, string path, object value) "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), _ => null }; + return assign; + } + public static bool TrySetUserChanges(IUserChanges document, string path, object value) + { + var assign = TryAssignUserChanges(path); if (assign == null) return false; var entity = document.Changes ?? new UserChanges(); diff --git a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs index 10f37dbc..3abbd5a1 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs @@ -17,7 +17,7 @@ protected PropertyReference(string localPath, string fullPath) public string Name => JsonProperty.PascalCase(); - public string LocalPath { get; } + private string LocalPath { get; } public string FullPath { get; } public string LogTemplateAlternative => FullPath.PascalCase(); @@ -90,15 +90,23 @@ public ValueTypePropertyReference(string parentPath, string fullPath, Field fiel Example = NormalizeDescription(field.Example?.ToString() ?? string.Empty); } - internal ValueTypePropertyReference(string parentPath, string prefix, string fullPath, Field field, EntityClass entity) - : this(parentPath, $"{prefix}.{fullPath}", field) + internal ValueTypePropertyReference(string parentPath, string fullPath, Field field, EntityPropertyReference property) + : this(parentPath, fullPath,field) { OriginalFullPath = fullPath; IsEntityDispatch = true; - CastFromObject = $"TrySet{entity.Name}"; + CastFromObject = $"TryAssign{property.Entity.Name}"; + + ContainerPath = property.Name; + ContainerPathEntity = property.Entity.Name; + + //if (property.Name.Contains(".")) + //CastFromObject = $"TrySet{property.Name}"; } public bool IsEntityDispatch { get; } public string OriginalFullPath { get; } + public string ContainerPath { get; } + public string ContainerPathEntity { get; } internal string ParentPath { get; } internal Field Field { get; } @@ -108,8 +116,21 @@ internal ValueTypePropertyReference(string parentPath, string prefix, string ful public override string Description { get; } public override string Example { get; } - public ValueTypePropertyReference CreateSettableTypePropertyReference(string prefix, EntityClass entity) => - new(ParentPath, prefix, FullPath, Field, entity); + public ValueTypePropertyReference CreateSettableTypePropertyReference(EntityPropertyReference property) + { + var tokens = property.FullPath.Split(['.']).Where(t => !FullPath.StartsWith($"{t}.")).ToArray(); + var prefix = string.Join('.', tokens); + var newPath = $"{prefix}.{FullPath}"; + + return new ValueTypePropertyReference(prefix, newPath, Field, property); + /* + if (FullPath.StartsWith(property.JsonProperty)) + return new ValueTypePropertyReference(ParentPath, "", FullPath, Field, property); + + var tokens = property.JsonProperty.Split(['.']).Where(t => !FullPath.StartsWith($"{t}.")).ToArray(); + return new ValueTypePropertyReference(ParentPath, prefix, FullPath, Field, property); + */ + } } public class InlineObjectPropertyReference : PropertyReference diff --git a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs index 0c49d87b..9d3485a5 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs @@ -107,6 +107,7 @@ public CommonSchemaTypesProjection CreateProjection() var entities = EntityClasses.Values; var assignables = entities + .Concat(nestedEntityTypes.Values) .Where(e => e.EntityReferences.Count > 0) .SelectMany(e => e.EntityReferences.Select(r => (EntityClass: e, EntityPropertyReference: r)).ToList()) .Select(r => @@ -156,33 +157,15 @@ public CommonSchemaTypesProjection CreateProjection() var assignableToEcsDocument = Projection.EntityClasses.Select(e=> assignables.FirstOrDefault(a=>a.Property.Entity == e && a.Property.Name == e.Name)).Where(a => a != null).ToList(); Projection.Base.AssignableInterfaces = assignableToEcsDocument; - var eHashs = new HashSet(Projection.EntityClasses.Select(e => e.Name)); - var aHashs = new HashSet(Projection.AssignableInterfaces.Select(e => e.Name.Substring(1, e.Name.Length - 1))); - eHashs.ExceptWith(aHashs); - var hashes = new HashSet(eHashs.Concat(aHashs)); + var allEntities = Projection.EntityClasses.Concat(Projection.NestedEntityClasses).ToDictionary(kv=>kv.Name); + var assignable = Projection.AssignableInterfaces.ToDictionary(e => e.Name.Substring(1, e.Name.Length - 1)); var propDispatches = new List(); - foreach (var dispatch in hashes) + foreach (var (name, entity) in allEntities) { - if (eHashs.Contains(dispatch)) - { - var entityClass = Projection.EntityClasses.First(e => e.Name == dispatch); - propDispatches.Add(new PropDispatch(dispatch, entityClass, Projection.Base.Name)); - } - else if (aHashs.Contains(dispatch)) - { - var entityClass = Projection.AssignableInterfaces.FirstOrDefault(e => e.Name == $"I{dispatch}"); - if (entityClass == null) - { - continue; - } - propDispatches.Add(new PropDispatch(entityClass.Property)); - } + var found = assignable.TryGetValue(name, out var a); + propDispatches.Add(new PropDispatch(entity, a)); } Projection.AssignablePropDispatches = propDispatches; - - Console.WriteLine(string.Join(", ", eHashs)); - - return Projection; } diff --git a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs index fb9d88c5..939eae41 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs @@ -69,7 +69,7 @@ public EntityClass(string name, FieldSetBaseClass baseFieldSet) public IEnumerable SettableProperties => BaseFieldSet.ValueProperties.Where(p => !string.IsNullOrEmpty(p.CastFromObject)) - .Concat(EntityProperties.SelectMany(e=>e.Entity.SettableProperties.Select(s=>s.CreateSettableTypePropertyReference(OriginalName, e.Entity)))) + .Concat(EntityProperties.SelectMany(e=>e.Entity.SettableProperties.Select(s=>s.CreateSettableTypePropertyReference(e)))) .DistinctBy(e=>e.Name); @@ -107,24 +107,26 @@ public class PropDispatch public string FuncTarget { get; } public string AssignTarget { get; } public EntityClass Entity { get; } - public string Target { get; } + public string AssignParameter { get; } + public string AssignEntity { get; set; } - public PropDispatch(string name, EntityClass entity, string target) + public PropDispatch(EntityClass entity, AssignableEntityInterface assignable) { - Name = name; + + Name = entity.Name; FuncTarget = entity.Name; - AssignTarget = entity.Name; + AssignEntity = entity.Name; Entity = entity; - Target = target; + AssignTarget = entity.Name; + SettableProperties = Entity.SettableProperties.ToList(); + AssignParameter = "EcsDocument"; + if (assignable is { } a) + { + AssignParameter = $"I{Name}"; + AssignTarget = assignable.Property.Name; + } } - public PropDispatch(EntityPropertyReference property) - { - Name = property.Name; - Entity = property.Entity; - Target = $"I{Name}"; - FuncTarget = property.Entity.Name; - AssignTarget = property.Name; - } + public List SettableProperties { get; set; } } } diff --git a/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml index 105110e1..61aae36f 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml @@ -151,30 +151,34 @@ namespace Elastic.CommonSchema { var entity = dispatch.Entity; - public static bool TrySet@(dispatch.Name)(@dispatch.Target document, string path, object value) + public static Func@(Raw("<"))@(dispatch.FuncTarget), object, bool@(Raw(">")) TryAssign@(dispatch.AssignEntity)(string path) { Func@(Raw("<"))@(dispatch.FuncTarget), object, bool@(Raw(">")) assign = path switch { - @foreach (var prop in entity.SettableProperties) + @foreach (var prop in dispatch.SettableProperties) { if (!prop.IsEntityDispatch) { - // "client.as.number" => static (e, v) => TrySetAs(e, "as.number", v), "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), } else { - "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)(e, "@(prop.OriginalFullPath)", v), - "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)(e, "@(prop.OriginalFullPath)", v), + "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)("@(prop.JsonProperty)")(e.@(prop.ContainerPath) ?? new @(prop.ContainerPathEntity)(),v), + "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)("@(prop.JsonProperty)")(e.@(prop.ContainerPath) ?? new @(prop.ContainerPathEntity)(),v), } } _ => null }; + return assign; + } + public static bool TrySet@(dispatch.AssignEntity)(@dispatch.AssignParameter document, string path, object value) + { + var assign = TryAssign@(dispatch.AssignEntity)(path); if (assign == null) return false; - + var entity = document.@(dispatch.AssignTarget) ?? new @(entity.Name)(); var assigned = assign(entity, value); if (assigned) document.@(dispatch.AssignTarget) = entity; From ee24400fd9352787b3a105ddf4e472ef5ce9ce1c Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Wed, 25 Sep 2024 14:54:26 +0200 Subject: [PATCH 5/8] stage --- .../PropDispatch.Generated.cs | 185 +++++++----------- .../Projection/PropertyReference.cs | 3 +- .../Projection/TypeProjector.cs | 2 + 3 files changed, 75 insertions(+), 115 deletions(-) diff --git a/src/Elastic.CommonSchema/PropDispatch.Generated.cs b/src/Elastic.CommonSchema/PropDispatch.Generated.cs index ee8966c4..b7dea5e8 100644 --- a/src/Elastic.CommonSchema/PropDispatch.Generated.cs +++ b/src/Elastic.CommonSchema/PropDispatch.Generated.cs @@ -5,7 +5,7 @@ /* IMPORTANT NOTE ============== -This file has been generated. +This file has been generated. If you wish to submit a PR please modify the original csharp file and submit the PR with that change. Thanks! */ @@ -24,7 +24,7 @@ If you wish to submit a PR please modify the original csharp file and submit the namespace Elastic.CommonSchema { /// - public partial class EcsDocument : BaseFieldSet + public partial class EcsDocument : BaseFieldSet { /// /// Set ECS fields by name on . @@ -43,9 +43,9 @@ public partial class EcsDocument : BaseFieldSet public void AssignField(string path, object value) { var assigned = LogTemplateProperties.All.Contains(path) && TrySet(this, path, value); - if (!assigned && LogTemplateEntities.All.Contains(path)) + if (!assigned && LogTemplateEntities.All.Contains(path)) assigned = TrySetEntity(this, path, value); - if (!assigned) + if (!assigned) SetMetaOrLabel(this, path, value); } } @@ -652,9 +652,9 @@ bool TypeCheck(Dictionary templatedObject, string typeName) => } } - internal static bool TrySet(EcsDocument document, string path, object value) + internal static bool TrySet(EcsDocument document, string path, object value) { - switch (path) + switch (path) { case "@timestamp": case "Timestamp": @@ -3129,7 +3129,7 @@ public static bool TrySetAgent(EcsDocument document, string path, object value) { var assign = TryAssignAgent(path); if (assign == null) return false; - + var entity = document.Agent ?? new Agent(); var assigned = assign(entity, value); if (assigned) document.Agent = entity; @@ -3152,7 +3152,7 @@ public static bool TrySetAs(IAs document, string path, object value) { var assign = TryAssignAs(path); if (assign == null) return false; - + var entity = document.As ?? new As(); var assigned = assign(entity, value); if (assigned) document.As = entity; @@ -3261,7 +3261,7 @@ public static bool TrySetClient(EcsDocument document, string path, object value) { var assign = TryAssignClient(path); if (assign == null) return false; - + var entity = document.Client ?? new Client(); var assigned = assign(entity, value); if (assigned) document.Client = entity; @@ -3324,7 +3324,7 @@ public static bool TrySetCloud(EcsDocument document, string path, object value) { var assign = TryAssignCloud(path); if (assign == null) return false; - + var entity = document.Cloud ?? new Cloud(); var assigned = assign(entity, value); if (assigned) document.Cloud = entity; @@ -3361,7 +3361,7 @@ public static bool TrySetCodeSignature(ICodeSignature document, string path, obj { var assign = TryAssignCodeSignature(path); if (assign == null) return false; - + var entity = document.CodeSignature ?? new CodeSignature(); var assigned = assign(entity, value); if (assigned) document.CodeSignature = entity; @@ -3402,7 +3402,7 @@ public static bool TrySetContainer(EcsDocument document, string path, object val { var assign = TryAssignContainer(path); if (assign == null) return false; - + var entity = document.Container ?? new Container(); var assigned = assign(entity, value); if (assigned) document.Container = entity; @@ -3427,7 +3427,7 @@ public static bool TrySetDataStream(EcsDocument document, string path, object va { var assign = TryAssignDataStream(path); if (assign == null) return false; - + var entity = document.DataStream ?? new DataStream(); var assigned = assign(entity, value); if (assigned) document.DataStream = entity; @@ -3536,7 +3536,7 @@ public static bool TrySetDestination(EcsDocument document, string path, object v { var assign = TryAssignDestination(path); if (assign == null) return false; - + var entity = document.Destination ?? new Destination(); var assigned = assign(entity, value); if (assigned) document.Destination = entity; @@ -3563,7 +3563,7 @@ public static bool TrySetDevice(EcsDocument document, string path, object value) { var assign = TryAssignDevice(path); if (assign == null) return false; - + var entity = document.Device ?? new Device(); var assigned = assign(entity, value); if (assigned) document.Device = entity; @@ -3650,7 +3650,7 @@ public static bool TrySetDll(EcsDocument document, string path, object value) { var assign = TryAssignDll(path); if (assign == null) return false; - + var entity = document.Dll ?? new Dll(); var assigned = assign(entity, value); if (assigned) document.Dll = entity; @@ -3689,7 +3689,7 @@ public static bool TrySetDns(EcsDocument document, string path, object value) { var assign = TryAssignDns(path); if (assign == null) return false; - + var entity = document.Dns ?? new Dns(); var assigned = assign(entity, value); if (assigned) document.Dns = entity; @@ -3710,7 +3710,7 @@ public static bool TrySetEcs(EcsDocument document, string path, object value) { var assign = TryAssignEcs(path); if (assign == null) return false; - + var entity = document.Ecs ?? new Ecs(); var assigned = assign(entity, value); if (assigned) document.Ecs = entity; @@ -3771,7 +3771,7 @@ public static bool TrySetElf(IElf document, string path, object value) { var assign = TryAssignElf(path); if (assign == null) return false; - + var entity = document.Elf ?? new Elf(); var assigned = assign(entity, value); if (assigned) document.Elf = entity; @@ -3808,7 +3808,7 @@ public static bool TrySetEmail(EcsDocument document, string path, object value) { var assign = TryAssignEmail(path); if (assign == null) return false; - + var entity = document.Email ?? new Email(); var assigned = assign(entity, value); if (assigned) document.Email = entity; @@ -3837,7 +3837,7 @@ public static bool TrySetError(EcsDocument document, string path, object value) { var assign = TryAssignError(path); if (assign == null) return false; - + var entity = document.Error ?? new Error(); var assigned = assign(entity, value); if (assigned) document.Error = entity; @@ -3904,7 +3904,7 @@ public static bool TrySetEvent(EcsDocument document, string path, object value) { var assign = TryAssignEvent(path); if (assign == null) return false; - + var entity = document.Event ?? new Event(); var assigned = assign(entity, value); if (assigned) document.Event = entity; @@ -3937,7 +3937,7 @@ public static bool TrySetFaas(EcsDocument document, string path, object value) { var assign = TryAssignFaas(path); if (assign == null) return false; - + var entity = document.Faas ?? new Faas(); var assigned = assign(entity, value); if (assigned) document.Faas = entity; @@ -4144,7 +4144,7 @@ public static bool TrySetFile(EcsDocument document, string path, object value) { var assign = TryAssignFile(path); if (assign == null) return false; - + var entity = document.File ?? new File(); var assigned = assign(entity, value); if (assigned) document.File = entity; @@ -4183,7 +4183,7 @@ public static bool TrySetGeo(IGeo document, string path, object value) { var assign = TryAssignGeo(path); if (assign == null) return false; - + var entity = document.Geo ?? new Geo(); var assigned = assign(entity, value); if (assigned) document.Geo = entity; @@ -4208,7 +4208,7 @@ public static bool TrySetGroup(IGroup document, string path, object value) { var assign = TryAssignGroup(path); if (assign == null) return false; - + var entity = document.Group ?? new Group(); var assigned = assign(entity, value); if (assigned) document.Group = entity; @@ -4241,7 +4241,7 @@ public static bool TrySetHash(IHash document, string path, object value) { var assign = TryAssignHash(path); if (assign == null) return false; - + var entity = document.Hash ?? new Hash(); var assigned = assign(entity, value); if (assigned) document.Hash = entity; @@ -4338,7 +4338,7 @@ public static bool TrySetHost(EcsDocument document, string path, object value) { var assign = TryAssignHost(path); if (assign == null) return false; - + var entity = document.Host ?? new Host(); var assigned = assign(entity, value); if (assigned) document.Host = entity; @@ -4383,7 +4383,7 @@ public static bool TrySetHttp(EcsDocument document, string path, object value) { var assign = TryAssignHttp(path); if (assign == null) return false; - + var entity = document.Http ?? new Http(); var assigned = assign(entity, value); if (assigned) document.Http = entity; @@ -4408,7 +4408,7 @@ public static bool TrySetInterface(EcsDocument document, string path, object val { var assign = TryAssignInterface(path); if (assign == null) return false; - + var entity = document.Interface ?? new Interface(); var assigned = assign(entity, value); if (assigned) document.Interface = entity; @@ -4439,7 +4439,7 @@ public static bool TrySetLog(EcsDocument document, string path, object value) { var assign = TryAssignLog(path); if (assign == null) return false; - + var entity = document.Log ?? new Log(); var assigned = assign(entity, value); if (assigned) document.Log = entity; @@ -4476,7 +4476,7 @@ public static bool TrySetMacho(IMacho document, string path, object value) { var assign = TryAssignMacho(path); if (assign == null) return false; - + var entity = document.Macho ?? new Macho(); var assigned = assign(entity, value); if (assigned) document.Macho = entity; @@ -4521,7 +4521,7 @@ public static bool TrySetNetwork(EcsDocument document, string path, object value { var assign = TryAssignNetwork(path); if (assign == null) return false; - + var entity = document.Network ?? new Network(); var assigned = assign(entity, value); if (assigned) document.Network = entity; @@ -4588,7 +4588,7 @@ public static bool TrySetObserver(EcsDocument document, string path, object valu { var assign = TryAssignObserver(path); if (assign == null) return false; - + var entity = document.Observer ?? new Observer(); var assigned = assign(entity, value); if (assigned) document.Observer = entity; @@ -4631,7 +4631,7 @@ public static bool TrySetOrchestrator(EcsDocument document, string path, object { var assign = TryAssignOrchestrator(path); if (assign == null) return false; - + var entity = document.Orchestrator ?? new Orchestrator(); var assigned = assign(entity, value); if (assigned) document.Orchestrator = entity; @@ -4654,7 +4654,7 @@ public static bool TrySetOrganization(EcsDocument document, string path, object { var assign = TryAssignOrganization(path); if (assign == null) return false; - + var entity = document.Organization ?? new Organization(); var assigned = assign(entity, value); if (assigned) document.Organization = entity; @@ -4687,7 +4687,7 @@ public static bool TrySetOs(IOs document, string path, object value) { var assign = TryAssignOs(path); if (assign == null) return false; - + var entity = document.Os ?? new Os(); var assigned = assign(entity, value); if (assigned) document.Os = entity; @@ -4732,7 +4732,7 @@ public static bool TrySetPackage(EcsDocument document, string path, object value { var assign = TryAssignPackage(path); if (assign == null) return false; - + var entity = document.Package ?? new Package(); var assigned = assign(entity, value); if (assigned) document.Package = entity; @@ -4783,7 +4783,7 @@ public static bool TrySetPe(IPe document, string path, object value) { var assign = TryAssignPe(path); if (assign == null) return false; - + var entity = document.Pe ?? new Pe(); var assigned = assign(entity, value); if (assigned) document.Pe = entity; @@ -5302,7 +5302,7 @@ public static bool TrySetProcess(EcsDocument document, string path, object value { var assign = TryAssignProcess(path); if (assign == null) return false; - + var entity = document.Process ?? new Process(); var assigned = assign(entity, value); if (assigned) document.Process = entity; @@ -5333,7 +5333,7 @@ public static bool TrySetRegistry(EcsDocument document, string path, object valu { var assign = TryAssignRegistry(path); if (assign == null) return false; - + var entity = document.Registry ?? new Registry(); var assigned = assign(entity, value); if (assigned) document.Registry = entity; @@ -5352,7 +5352,7 @@ public static bool TrySetRelated(EcsDocument document, string path, object value { var assign = TryAssignRelated(path); if (assign == null) return false; - + var entity = document.Related ?? new Related(); var assigned = assign(entity, value); if (assigned) document.Related = entity; @@ -5383,7 +5383,7 @@ public static bool TrySetRisk(IRisk document, string path, object value) { var assign = TryAssignRisk(path); if (assign == null) return false; - + var entity = document.Risk ?? new Risk(); var assigned = assign(entity, value); if (assigned) document.Risk = entity; @@ -5420,7 +5420,7 @@ public static bool TrySetRule(EcsDocument document, string path, object value) { var assign = TryAssignRule(path); if (assign == null) return false; - + var entity = document.Rule ?? new Rule(); var assigned = assign(entity, value); if (assigned) document.Rule = entity; @@ -5529,7 +5529,7 @@ public static bool TrySetServer(EcsDocument document, string path, object value) { var assign = TryAssignServer(path); if (assign == null) return false; - + var entity = document.Server ?? new Server(); var assigned = assign(entity, value); if (assigned) document.Server = entity; @@ -5588,7 +5588,7 @@ public static bool TrySetService(EcsDocument document, string path, object value { var assign = TryAssignService(path); if (assign == null) return false; - + var entity = document.Service ?? new Service(); var assigned = assign(entity, value); if (assigned) document.Service = entity; @@ -5697,7 +5697,7 @@ public static bool TrySetSource(EcsDocument document, string path, object value) { var assign = TryAssignSource(path); if (assign == null) return false; - + var entity = document.Source ?? new Source(); var assigned = assign(entity, value); if (assigned) document.Source = entity; @@ -6046,7 +6046,7 @@ public static bool TrySetThreat(EcsDocument document, string path, object value) { var assign = TryAssignThreat(path); if (assign == null) return false; - + var entity = document.Threat ?? new Threat(); var assigned = assign(entity, value); if (assigned) document.Threat = entity; @@ -6139,7 +6139,7 @@ public static bool TrySetTls(EcsDocument document, string path, object value) { var assign = TryAssignTls(path); if (assign == null) return false; - + var entity = document.Tls ?? new Tls(); var assigned = assign(entity, value); if (assigned) document.Tls = entity; @@ -6186,7 +6186,7 @@ public static bool TrySetUrl(EcsDocument document, string path, object value) { var assign = TryAssignUrl(path); if (assign == null) return false; - + var entity = document.Url ?? new Url(); var assigned = assign(entity, value); if (assigned) document.Url = entity; @@ -6247,7 +6247,7 @@ public static bool TrySetUser(IUser document, string path, object value) { var assign = TryAssignUser(path); if (assign == null) return false; - + var entity = document.User ?? new User(); var assigned = assign(entity, value); if (assigned) document.User = entity; @@ -6288,7 +6288,7 @@ public static bool TrySetUserAgent(EcsDocument document, string path, object val { var assign = TryAssignUserAgent(path); if (assign == null) return false; - + var entity = document.UserAgent ?? new UserAgent(); var assigned = assign(entity, value); if (assigned) document.UserAgent = entity; @@ -6311,7 +6311,7 @@ public static bool TrySetVlan(IVlan document, string path, object value) { var assign = TryAssignVlan(path); if (assign == null) return false; - + var entity = document.Vlan ?? new Vlan(); var assigned = assign(entity, value); if (assigned) document.Vlan = entity; @@ -6354,7 +6354,7 @@ public static bool TrySetVulnerability(EcsDocument document, string path, object { var assign = TryAssignVulnerability(path); if (assign == null) return false; - + var entity = document.Vulnerability ?? new Vulnerability(); var assigned = assign(entity, value); if (assigned) document.Vulnerability = entity; @@ -6395,7 +6395,7 @@ public static bool TrySetX509(IX509 document, string path, object value) { var assign = TryAssignX509(path); if (assign == null) return false; - + var entity = document.X509 ?? new X509(); var assigned = assign(entity, value); if (assigned) document.X509 = entity; @@ -6436,7 +6436,7 @@ public static bool TrySetCloudOrigin(ICloudOrigin document, string path, object { var assign = TryAssignCloudOrigin(path); if (assign == null) return false; - + var entity = document.Origin ?? new CloudOrigin(); var assigned = assign(entity, value); if (assigned) document.Origin = entity; @@ -6477,7 +6477,7 @@ public static bool TrySetCloudTarget(ICloudTarget document, string path, object { var assign = TryAssignCloudTarget(path); if (assign == null) return false; - + var entity = document.Target ?? new CloudTarget(); var assigned = assign(entity, value); if (assigned) document.Target = entity; @@ -6564,7 +6564,7 @@ public static bool TrySetProcessParent(IProcessParent document, string path, obj { var assign = TryAssignProcessParent(path); if (assign == null) return false; - + var entity = document.Parent ?? new ProcessParent(); var assigned = assign(entity, value); if (assigned) document.Parent = entity; @@ -6685,7 +6685,7 @@ public static bool TrySetProcessEntryLeader(IProcessEntryLeader document, string { var assign = TryAssignProcessEntryLeader(path); if (assign == null) return false; - + var entity = document.EntryLeader ?? new ProcessEntryLeader(); var assigned = assign(entity, value); if (assigned) document.EntryLeader = entity; @@ -6806,7 +6806,7 @@ public static bool TrySetProcessSessionLeader(IProcessSessionLeader document, st { var assign = TryAssignProcessSessionLeader(path); if (assign == null) return false; - + var entity = document.SessionLeader ?? new ProcessSessionLeader(); var assigned = assign(entity, value); if (assigned) document.SessionLeader = entity; @@ -6859,7 +6859,7 @@ public static bool TrySetProcessGroupLeader(IProcessGroupLeader document, string { var assign = TryAssignProcessGroupLeader(path); if (assign == null) return false; - + var entity = document.GroupLeader ?? new ProcessGroupLeader(); var assigned = assign(entity, value); if (assigned) document.GroupLeader = entity; @@ -6912,7 +6912,7 @@ public static bool TrySetProcessParentGroupLeader(IProcessParentGroupLeader docu { var assign = TryAssignProcessParentGroupLeader(path); if (assign == null) return false; - + var entity = document.GroupLeader ?? new ProcessParentGroupLeader(); var assigned = assign(entity, value); if (assigned) document.GroupLeader = entity; @@ -6999,7 +6999,7 @@ public static bool TrySetProcessEntryLeaderParent(IProcessEntryLeaderParent docu { var assign = TryAssignProcessEntryLeaderParent(path); if (assign == null) return false; - + var entity = document.Parent ?? new ProcessEntryLeaderParent(); var assigned = assign(entity, value); if (assigned) document.Parent = entity; @@ -7086,7 +7086,7 @@ public static bool TrySetProcessSessionLeaderParent(IProcessSessionLeaderParent { var assign = TryAssignProcessSessionLeaderParent(path); if (assign == null) return false; - + var entity = document.Parent ?? new ProcessSessionLeaderParent(); var assigned = assign(entity, value); if (assigned) document.Parent = entity; @@ -7139,7 +7139,7 @@ public static bool TrySetProcessEntryLeaderParentSessionLeader(IProcessEntryLead { var assign = TryAssignProcessEntryLeaderParentSessionLeader(path); if (assign == null) return false; - + var entity = document.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(); var assigned = assign(entity, value); if (assigned) document.SessionLeader = entity; @@ -7192,56 +7192,13 @@ public static bool TrySetProcessSessionLeaderParentSessionLeader(IProcessSession { var assign = TryAssignProcessSessionLeaderParentSessionLeader(path); if (assign == null) return false; - + var entity = document.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(); var assigned = assign(entity, value); if (assigned) document.SessionLeader = entity; return assigned; } - public static Func TryAssignProcessPrevious(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - _ => null - }; - return assign; - } - public static Func TryAssignServiceOrigin(string path) { Func assign = path switch @@ -7274,7 +7231,7 @@ public static bool TrySetServiceOrigin(IServiceOrigin document, string path, obj { var assign = TryAssignServiceOrigin(path); if (assign == null) return false; - + var entity = document.Origin ?? new ServiceOrigin(); var assigned = assign(entity, value); if (assigned) document.Origin = entity; @@ -7313,7 +7270,7 @@ public static bool TrySetServiceTarget(IServiceTarget document, string path, obj { var assign = TryAssignServiceTarget(path); if (assign == null) return false; - + var entity = document.Target ?? new ServiceTarget(); var assigned = assign(entity, value); if (assigned) document.Target = entity; @@ -7344,7 +7301,7 @@ public static bool TrySetUserTarget(IUserTarget document, string path, object va { var assign = TryAssignUserTarget(path); if (assign == null) return false; - + var entity = document.Target ?? new UserTarget(); var assigned = assign(entity, value); if (assigned) document.Target = entity; @@ -7375,7 +7332,7 @@ public static bool TrySetUserEffective(IUserEffective document, string path, obj { var assign = TryAssignUserEffective(path); if (assign == null) return false; - + var entity = document.Effective ?? new UserEffective(); var assigned = assign(entity, value); if (assigned) document.Effective = entity; @@ -7406,7 +7363,7 @@ public static bool TrySetUserChanges(IUserChanges document, string path, object { var assign = TryAssignUserChanges(path); if (assign == null) return false; - + var entity = document.Changes ?? new UserChanges(); var assigned = assign(entity, value); if (assigned) document.Changes = entity; diff --git a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs index 3abbd5a1..bc588afb 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs @@ -160,11 +160,12 @@ public EntityPropertyReference(string parentPath, string fullPath, EntityClass e Description = multiLineDescription; Example = ""; ClrType = Entity.Name; + IsArray = isArray; if (isArray) ClrType += "[]"; - } public EntityClass Entity { get; } + public bool IsArray { get; } public string ClrType { get; } public override string Description { get; } diff --git a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs index 9d3485a5..c612449a 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs @@ -163,6 +163,8 @@ public CommonSchemaTypesProjection CreateProjection() foreach (var (name, entity) in allEntities) { var found = assignable.TryGetValue(name, out var a); + if (found && a.Property.IsArray) + continue; propDispatches.Add(new PropDispatch(entity, a)); } Projection.AssignablePropDispatches = propDispatches; From 86c555f681ce691143eb265159b3162195c3ba7a Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Wed, 25 Sep 2024 21:50:55 +0200 Subject: [PATCH 6/8] Skip self referential properties for now --- .../LogTemplateProperties.Generated.cs | 1477 ++---- .../PropDispatch.Generated.cs | 4020 ++++++----------- .../Repro/GithubIssue402.cs | 40 +- .../Projection/ProjectionTypeExtensions.cs | 1 + .../Projection/PropertyReference.cs | 136 +- .../Projection/TypeProjector.cs | 12 +- .../Projection/Types.cs | 115 +- .../LogTemplateProperties.Generated.cshtml | 4 +- .../Views/PropDispatch.Generated.cshtml | 12 +- 9 files changed, 1845 insertions(+), 3972 deletions(-) diff --git a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs index b23bfbef..c79620dc 100644 --- a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs +++ b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs @@ -243,6 +243,12 @@ public static class LogTemplateProperties /// public static string ClientGeoCountryName = nameof(ClientGeoCountryName); /// + /// client.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string ClientGeoLocation = nameof(ClientGeoLocation); + /// /// client.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -369,44 +375,6 @@ public static class LogTemplateProperties /// public static string ClientUserRiskStaticScoreNorm = nameof(ClientUserRiskStaticScoreNorm); /// - /// client.user.target.user.domain - /// Name of the directory the user is a member of. - /// For example, an LDAP or Active Directory domain name. - /// - /// - public static string ClientUserTargetUserDomain = nameof(ClientUserTargetUserDomain); - /// - /// client.user.target.user.email - /// User email address. - /// - /// - public static string ClientUserTargetUserEmail = nameof(ClientUserTargetUserEmail); - /// - /// client.user.target.user.full_name - /// User's full name, if available. - /// Albert Einstein - /// - public static string ClientUserTargetUserFullName = nameof(ClientUserTargetUserFullName); - /// - /// client.user.target.user.hash - /// Unique user hash to correlate information for a user in anonymized form. - /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. - /// - /// - public static string ClientUserTargetUserHash = nameof(ClientUserTargetUserHash); - /// - /// client.user.target.user.id - /// Unique identifier of the user. - /// S-1-5-21-202424912787-2692429404-2351956786-1000 - /// - public static string ClientUserTargetUserId = nameof(ClientUserTargetUserId); - /// - /// client.user.target.user.name - /// Short name or login of the user. - /// a.einstein - /// - public static string ClientUserTargetUserName = nameof(ClientUserTargetUserName); - /// /// cloud.account.id /// The cloud account or organization id used to identify different entities in a multi-tenant environment. /// Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. @@ -478,77 +446,6 @@ public static class LogTemplateProperties /// public static string CloudServiceName = nameof(CloudServiceName); /// - /// origin.cloud.account.id - /// The cloud account or organization id used to identify different entities in a multi-tenant environment. - /// Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - /// 666777888999 - /// - public static string OriginCloudAccountId = nameof(OriginCloudAccountId); - /// - /// origin.cloud.account.name - /// The cloud account name or alias used to identify different entities in a multi-tenant environment. - /// Examples: AWS account name, Google Cloud ORG display name. - /// elastic-dev - /// - public static string OriginCloudAccountName = nameof(OriginCloudAccountName); - /// - /// origin.cloud.availability_zone - /// Availability zone in which this host, resource, or service is located. - /// us-east-1c - /// - public static string OriginCloudAvailabilityZone = nameof(OriginCloudAvailabilityZone); - /// - /// origin.cloud.instance.id - /// Instance ID of the host machine. - /// i-1234567890abcdef0 - /// - public static string OriginCloudInstanceId = nameof(OriginCloudInstanceId); - /// - /// origin.cloud.instance.name - /// Instance name of the host machine. - /// - /// - public static string OriginCloudInstanceName = nameof(OriginCloudInstanceName); - /// - /// origin.cloud.machine.type - /// Machine type of the host machine. - /// t2.medium - /// - public static string OriginCloudMachineType = nameof(OriginCloudMachineType); - /// - /// origin.cloud.project.id - /// The cloud project identifier. - /// Examples: Google Cloud Project id, Azure Project id. - /// my-project - /// - public static string OriginCloudProjectId = nameof(OriginCloudProjectId); - /// - /// origin.cloud.project.name - /// The cloud project name. - /// Examples: Google Cloud Project name, Azure Project name. - /// my project - /// - public static string OriginCloudProjectName = nameof(OriginCloudProjectName); - /// - /// origin.cloud.provider - /// Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - /// aws - /// - public static string OriginCloudProvider = nameof(OriginCloudProvider); - /// - /// origin.cloud.region - /// Region in which this host, resource, or service is located. - /// us-east-1 - /// - public static string OriginCloudRegion = nameof(OriginCloudRegion); - /// - /// origin.cloud.service.name - /// The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. - /// Examples: app engine, app service, cloud run, fargate, lambda. - /// lambda - /// - public static string OriginCloudServiceName = nameof(OriginCloudServiceName); - /// /// code_signature.digest_algorithm /// The hashing algorithm used to sign the process. /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. @@ -826,6 +723,12 @@ public static class LogTemplateProperties /// public static string DestinationGeoCountryName = nameof(DestinationGeoCountryName); /// + /// destination.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string DestinationGeoLocation = nameof(DestinationGeoLocation); + /// /// destination.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -952,44 +855,6 @@ public static class LogTemplateProperties /// public static string DestinationUserRiskStaticScoreNorm = nameof(DestinationUserRiskStaticScoreNorm); /// - /// destination.user.target.user.domain - /// Name of the directory the user is a member of. - /// For example, an LDAP or Active Directory domain name. - /// - /// - public static string DestinationUserTargetUserDomain = nameof(DestinationUserTargetUserDomain); - /// - /// destination.user.target.user.email - /// User email address. - /// - /// - public static string DestinationUserTargetUserEmail = nameof(DestinationUserTargetUserEmail); - /// - /// destination.user.target.user.full_name - /// User's full name, if available. - /// Albert Einstein - /// - public static string DestinationUserTargetUserFullName = nameof(DestinationUserTargetUserFullName); - /// - /// destination.user.target.user.hash - /// Unique user hash to correlate information for a user in anonymized form. - /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. - /// - /// - public static string DestinationUserTargetUserHash = nameof(DestinationUserTargetUserHash); - /// - /// destination.user.target.user.id - /// Unique identifier of the user. - /// S-1-5-21-202424912787-2692429404-2351956786-1000 - /// - public static string DestinationUserTargetUserId = nameof(DestinationUserTargetUserId); - /// - /// destination.user.target.user.name - /// Short name or login of the user. - /// a.einstein - /// - public static string DestinationUserTargetUserName = nameof(DestinationUserTargetUserName); - /// /// device.id /// The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. /// On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. @@ -2398,6 +2263,12 @@ public static class LogTemplateProperties /// public static string GeoCountryName = nameof(GeoCountryName); /// + /// geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string GeoLocation = nameof(GeoLocation); + /// /// geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -2628,6 +2499,12 @@ public static class LogTemplateProperties /// public static string HostGeoCountryName = nameof(HostGeoCountryName); /// + /// host.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string HostGeoLocation = nameof(HostGeoLocation); + /// /// host.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -3120,6 +2997,12 @@ public static class LogTemplateProperties /// public static string ObserverGeoCountryName = nameof(ObserverGeoCountryName); /// + /// observer.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string ObserverGeoLocation = nameof(ObserverGeoLocation); + /// /// observer.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -3654,6 +3537,44 @@ public static class LogTemplateProperties /// public static string ProcessGroupName = nameof(ProcessGroupName); /// + /// process.real_group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessRealGroupDomain = nameof(ProcessRealGroupDomain); + /// + /// process.real_group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessRealGroupId = nameof(ProcessRealGroupId); + /// + /// process.real_group.name + /// Name of the group. + /// + /// + public static string ProcessRealGroupName = nameof(ProcessRealGroupName); + /// + /// process.saved_group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessSavedGroupDomain = nameof(ProcessSavedGroupDomain); + /// + /// process.saved_group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessSavedGroupId = nameof(ProcessSavedGroupId); + /// + /// process.saved_group.name + /// Name of the group. + /// + /// + public static string ProcessSavedGroupName = nameof(ProcessSavedGroupName); + /// /// process.hash.md5 /// MD5 hash. /// @@ -4165,6 +4086,12 @@ public static class LogTemplateProperties /// public static string ProcessEntryMetaSourceGeoCountryName = nameof(ProcessEntryMetaSourceGeoCountryName); /// + /// process.entry_meta.source.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string ProcessEntryMetaSourceGeoLocation = nameof(ProcessEntryMetaSourceGeoLocation); + /// /// process.entry_meta.source.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -4291,44 +4218,6 @@ public static class LogTemplateProperties /// public static string ProcessEntryMetaSourceUserRiskStaticScoreNorm = nameof(ProcessEntryMetaSourceUserRiskStaticScoreNorm); /// - /// process.entry_meta.source.user.target.user.domain - /// Name of the directory the user is a member of. - /// For example, an LDAP or Active Directory domain name. - /// - /// - public static string ProcessEntryMetaSourceUserTargetUserDomain = nameof(ProcessEntryMetaSourceUserTargetUserDomain); - /// - /// process.entry_meta.source.user.target.user.email - /// User email address. - /// - /// - public static string ProcessEntryMetaSourceUserTargetUserEmail = nameof(ProcessEntryMetaSourceUserTargetUserEmail); - /// - /// process.entry_meta.source.user.target.user.full_name - /// User's full name, if available. - /// Albert Einstein - /// - public static string ProcessEntryMetaSourceUserTargetUserFullName = nameof(ProcessEntryMetaSourceUserTargetUserFullName); - /// - /// process.entry_meta.source.user.target.user.hash - /// Unique user hash to correlate information for a user in anonymized form. - /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. - /// - /// - public static string ProcessEntryMetaSourceUserTargetUserHash = nameof(ProcessEntryMetaSourceUserTargetUserHash); - /// - /// process.entry_meta.source.user.target.user.id - /// Unique identifier of the user. - /// S-1-5-21-202424912787-2692429404-2351956786-1000 - /// - public static string ProcessEntryMetaSourceUserTargetUserId = nameof(ProcessEntryMetaSourceUserTargetUserId); - /// - /// process.entry_meta.source.user.target.user.name - /// Short name or login of the user. - /// a.einstein - /// - public static string ProcessEntryMetaSourceUserTargetUserName = nameof(ProcessEntryMetaSourceUserTargetUserName); - /// /// process.user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. @@ -4422,721 +4311,284 @@ public static class LogTemplateProperties /// public static string ProcessUserRiskStaticScoreNorm = nameof(ProcessUserRiskStaticScoreNorm); /// - /// process.user.target.user.domain + /// process.saved_user.domain /// Name of the directory the user is a member of. /// For example, an LDAP or Active Directory domain name. /// /// - public static string ProcessUserTargetUserDomain = nameof(ProcessUserTargetUserDomain); + public static string ProcessSavedUserDomain = nameof(ProcessSavedUserDomain); /// - /// process.user.target.user.email + /// process.saved_user.email /// User email address. /// /// - public static string ProcessUserTargetUserEmail = nameof(ProcessUserTargetUserEmail); + public static string ProcessSavedUserEmail = nameof(ProcessSavedUserEmail); /// - /// process.user.target.user.full_name + /// process.saved_user.full_name /// User's full name, if available. /// Albert Einstein /// - public static string ProcessUserTargetUserFullName = nameof(ProcessUserTargetUserFullName); + public static string ProcessSavedUserFullName = nameof(ProcessSavedUserFullName); /// - /// process.user.target.user.hash + /// process.saved_user.hash /// Unique user hash to correlate information for a user in anonymized form. /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string ProcessUserTargetUserHash = nameof(ProcessUserTargetUserHash); + public static string ProcessSavedUserHash = nameof(ProcessSavedUserHash); /// - /// process.user.target.user.id + /// process.saved_user.id /// Unique identifier of the user. /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string ProcessUserTargetUserId = nameof(ProcessUserTargetUserId); + public static string ProcessSavedUserId = nameof(ProcessSavedUserId); /// - /// process.user.target.user.name + /// process.saved_user.name /// Short name or login of the user. /// a.einstein /// - public static string ProcessUserTargetUserName = nameof(ProcessUserTargetUserName); - /// - /// parent.process.args_count - /// Length of the process.args array. - /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - /// 4 - /// - public static string ParentProcessArgsCount = nameof(ParentProcessArgsCount); + public static string ProcessSavedUserName = nameof(ProcessSavedUserName); /// - /// parent.process.command_line - /// Full command line that started the process, including the absolute path to the executable, and all arguments. - /// Some arguments may be filtered to protect sensitive information. - /// /usr/bin/ssh -l user 10.0.0.16 + /// process.saved_user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// /// - public static string ParentProcessCommandLine = nameof(ParentProcessCommandLine); + public static string ProcessSavedUserGroupDomain = nameof(ProcessSavedUserGroupDomain); /// - /// parent.process.end - /// The time the process ended. - /// 5/23/2016 8:05:34 AM + /// process.saved_user.group.id + /// Unique identifier for the group on the system/platform. + /// /// - public static string ParentProcessEnd = nameof(ParentProcessEnd); + public static string ProcessSavedUserGroupId = nameof(ProcessSavedUserGroupId); /// - /// parent.process.entity_id - /// Unique identifier for the process. - /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - /// c2c455d9f99375d + /// process.saved_user.group.name + /// Name of the group. + /// /// - public static string ParentProcessEntityId = nameof(ParentProcessEntityId); + public static string ProcessSavedUserGroupName = nameof(ProcessSavedUserGroupName); /// - /// parent.process.executable - /// Absolute path to the process executable. - /// /usr/bin/ssh + /// process.saved_user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High /// - public static string ParentProcessExecutable = nameof(ParentProcessExecutable); + public static string ProcessSavedUserRiskCalculatedLevel = nameof(ProcessSavedUserRiskCalculatedLevel); /// - /// parent.process.exit_code - /// The exit code of the process, if this is a termination event. - /// The field should be absent if there is no exit code for the event (e.g. process start). - /// 137 + /// process.saved_user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 /// - public static string ParentProcessExitCode = nameof(ParentProcessExitCode); + public static string ProcessSavedUserRiskCalculatedScore = nameof(ProcessSavedUserRiskCalculatedScore); /// - /// parent.process.interactive - /// Whether the process is connected to an interactive shell. - /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. - /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. - /// true + /// process.saved_user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 /// - public static string ParentProcessInteractive = nameof(ParentProcessInteractive); + public static string ProcessSavedUserRiskCalculatedScoreNorm = nameof(ProcessSavedUserRiskCalculatedScoreNorm); /// - /// parent.process.name - /// Process name. - /// Sometimes called program name or similar. - /// ssh + /// process.saved_user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High /// - public static string ParentProcessName = nameof(ParentProcessName); + public static string ProcessSavedUserRiskStaticLevel = nameof(ProcessSavedUserRiskStaticLevel); /// - /// parent.process.pgid - /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - /// Identifier of the group of processes the process belongs to. - /// + /// process.saved_user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 /// - public static string ParentProcessPgid = nameof(ParentProcessPgid); + public static string ProcessSavedUserRiskStaticScore = nameof(ProcessSavedUserRiskStaticScore); /// - /// parent.process.pid - /// Process id. - /// 4242 + /// process.saved_user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 /// - public static string ParentProcessPid = nameof(ParentProcessPid); + public static string ProcessSavedUserRiskStaticScoreNorm = nameof(ProcessSavedUserRiskStaticScoreNorm); /// - /// parent.process.start - /// The time the process started. - /// 5/23/2016 8:05:34 AM + /// process.real_user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// /// - public static string ParentProcessStart = nameof(ParentProcessStart); + public static string ProcessRealUserDomain = nameof(ProcessRealUserDomain); /// - /// parent.process.thread.id - /// Thread ID. - /// 4242 + /// process.real_user.email + /// User email address. + /// /// - public static string ParentProcessThreadId = nameof(ParentProcessThreadId); + public static string ProcessRealUserEmail = nameof(ProcessRealUserEmail); /// - /// parent.process.thread.name - /// Thread name. - /// thread-0 + /// process.real_user.full_name + /// User's full name, if available. + /// Albert Einstein /// - public static string ParentProcessThreadName = nameof(ParentProcessThreadName); + public static string ProcessRealUserFullName = nameof(ProcessRealUserFullName); /// - /// parent.process.title - /// Process title. - /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// process.real_user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. /// /// - public static string ParentProcessTitle = nameof(ParentProcessTitle); + public static string ProcessRealUserHash = nameof(ProcessRealUserHash); /// - /// parent.process.uptime - /// Seconds the process has been up. - /// 1325 + /// process.real_user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string ParentProcessUptime = nameof(ParentProcessUptime); + public static string ProcessRealUserId = nameof(ProcessRealUserId); /// - /// parent.process.vpid - /// Virtual process id. - /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. - /// 4242 + /// process.real_user.name + /// Short name or login of the user. + /// a.einstein /// - public static string ParentProcessVpid = nameof(ParentProcessVpid); + public static string ProcessRealUserName = nameof(ProcessRealUserName); /// - /// parent.process.working_directory - /// The working directory of the process. - /// /home/alice + /// process.real_user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// /// - public static string ParentProcessWorkingDirectory = nameof(ParentProcessWorkingDirectory); + public static string ProcessRealUserGroupDomain = nameof(ProcessRealUserGroupDomain); /// - /// process.parent.group_leader.process.args_count - /// Length of the process.args array. - /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - /// 4 + /// process.real_user.group.id + /// Unique identifier for the group on the system/platform. + /// /// - public static string ProcessParentGroupLeaderProcessArgsCount = nameof(ProcessParentGroupLeaderProcessArgsCount); + public static string ProcessRealUserGroupId = nameof(ProcessRealUserGroupId); /// - /// process.parent.group_leader.process.command_line - /// Full command line that started the process, including the absolute path to the executable, and all arguments. - /// Some arguments may be filtered to protect sensitive information. - /// /usr/bin/ssh -l user 10.0.0.16 + /// process.real_user.group.name + /// Name of the group. + /// /// - public static string ProcessParentGroupLeaderProcessCommandLine = nameof(ProcessParentGroupLeaderProcessCommandLine); + public static string ProcessRealUserGroupName = nameof(ProcessRealUserGroupName); /// - /// process.parent.group_leader.process.end - /// The time the process ended. - /// 5/23/2016 8:05:34 AM - /// - public static string ProcessParentGroupLeaderProcessEnd = nameof(ProcessParentGroupLeaderProcessEnd); - /// - /// process.parent.group_leader.process.entity_id - /// Unique identifier for the process. - /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - /// c2c455d9f99375d - /// - public static string ProcessParentGroupLeaderProcessEntityId = nameof(ProcessParentGroupLeaderProcessEntityId); - /// - /// process.parent.group_leader.process.executable - /// Absolute path to the process executable. - /// /usr/bin/ssh - /// - public static string ProcessParentGroupLeaderProcessExecutable = nameof(ProcessParentGroupLeaderProcessExecutable); - /// - /// process.parent.group_leader.process.exit_code - /// The exit code of the process, if this is a termination event. - /// The field should be absent if there is no exit code for the event (e.g. process start). - /// 137 - /// - public static string ProcessParentGroupLeaderProcessExitCode = nameof(ProcessParentGroupLeaderProcessExitCode); - /// - /// process.parent.group_leader.process.interactive - /// Whether the process is connected to an interactive shell. - /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. - /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. - /// true - /// - public static string ProcessParentGroupLeaderProcessInteractive = nameof(ProcessParentGroupLeaderProcessInteractive); - /// - /// process.parent.group_leader.process.name - /// Process name. - /// Sometimes called program name or similar. - /// ssh - /// - public static string ProcessParentGroupLeaderProcessName = nameof(ProcessParentGroupLeaderProcessName); - /// - /// process.parent.group_leader.process.pgid - /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - /// Identifier of the group of processes the process belongs to. - /// - /// - public static string ProcessParentGroupLeaderProcessPgid = nameof(ProcessParentGroupLeaderProcessPgid); - /// - /// process.parent.group_leader.process.pid - /// Process id. - /// 4242 - /// - public static string ProcessParentGroupLeaderProcessPid = nameof(ProcessParentGroupLeaderProcessPid); - /// - /// process.parent.group_leader.process.start - /// The time the process started. - /// 5/23/2016 8:05:34 AM - /// - public static string ProcessParentGroupLeaderProcessStart = nameof(ProcessParentGroupLeaderProcessStart); - /// - /// process.parent.group_leader.process.thread.id - /// Thread ID. - /// 4242 - /// - public static string ProcessParentGroupLeaderProcessThreadId = nameof(ProcessParentGroupLeaderProcessThreadId); - /// - /// process.parent.group_leader.process.thread.name - /// Thread name. - /// thread-0 - /// - public static string ProcessParentGroupLeaderProcessThreadName = nameof(ProcessParentGroupLeaderProcessThreadName); - /// - /// process.parent.group_leader.process.title - /// Process title. - /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - /// - /// - public static string ProcessParentGroupLeaderProcessTitle = nameof(ProcessParentGroupLeaderProcessTitle); - /// - /// process.parent.group_leader.process.uptime - /// Seconds the process has been up. - /// 1325 - /// - public static string ProcessParentGroupLeaderProcessUptime = nameof(ProcessParentGroupLeaderProcessUptime); - /// - /// process.parent.group_leader.process.vpid - /// Virtual process id. - /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. - /// 4242 - /// - public static string ProcessParentGroupLeaderProcessVpid = nameof(ProcessParentGroupLeaderProcessVpid); - /// - /// process.parent.group_leader.process.working_directory - /// The working directory of the process. - /// /home/alice - /// - public static string ProcessParentGroupLeaderProcessWorkingDirectory = nameof(ProcessParentGroupLeaderProcessWorkingDirectory); - /// - /// process.entry_leader.parent.process.args_count - /// Length of the process.args array. - /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - /// 4 - /// - public static string ProcessEntryLeaderParentProcessArgsCount = nameof(ProcessEntryLeaderParentProcessArgsCount); - /// - /// process.entry_leader.parent.process.command_line - /// Full command line that started the process, including the absolute path to the executable, and all arguments. - /// Some arguments may be filtered to protect sensitive information. - /// /usr/bin/ssh -l user 10.0.0.16 - /// - public static string ProcessEntryLeaderParentProcessCommandLine = nameof(ProcessEntryLeaderParentProcessCommandLine); - /// - /// process.entry_leader.parent.process.end - /// The time the process ended. - /// 5/23/2016 8:05:34 AM - /// - public static string ProcessEntryLeaderParentProcessEnd = nameof(ProcessEntryLeaderParentProcessEnd); - /// - /// process.entry_leader.parent.process.entity_id - /// Unique identifier for the process. - /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - /// c2c455d9f99375d - /// - public static string ProcessEntryLeaderParentProcessEntityId = nameof(ProcessEntryLeaderParentProcessEntityId); - /// - /// process.entry_leader.parent.process.executable - /// Absolute path to the process executable. - /// /usr/bin/ssh - /// - public static string ProcessEntryLeaderParentProcessExecutable = nameof(ProcessEntryLeaderParentProcessExecutable); - /// - /// process.entry_leader.parent.process.exit_code - /// The exit code of the process, if this is a termination event. - /// The field should be absent if there is no exit code for the event (e.g. process start). - /// 137 - /// - public static string ProcessEntryLeaderParentProcessExitCode = nameof(ProcessEntryLeaderParentProcessExitCode); - /// - /// process.entry_leader.parent.process.interactive - /// Whether the process is connected to an interactive shell. - /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. - /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. - /// true - /// - public static string ProcessEntryLeaderParentProcessInteractive = nameof(ProcessEntryLeaderParentProcessInteractive); - /// - /// process.entry_leader.parent.process.name - /// Process name. - /// Sometimes called program name or similar. - /// ssh - /// - public static string ProcessEntryLeaderParentProcessName = nameof(ProcessEntryLeaderParentProcessName); - /// - /// process.entry_leader.parent.process.pgid - /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - /// Identifier of the group of processes the process belongs to. - /// - /// - public static string ProcessEntryLeaderParentProcessPgid = nameof(ProcessEntryLeaderParentProcessPgid); - /// - /// process.entry_leader.parent.process.pid - /// Process id. - /// 4242 - /// - public static string ProcessEntryLeaderParentProcessPid = nameof(ProcessEntryLeaderParentProcessPid); - /// - /// process.entry_leader.parent.process.start - /// The time the process started. - /// 5/23/2016 8:05:34 AM - /// - public static string ProcessEntryLeaderParentProcessStart = nameof(ProcessEntryLeaderParentProcessStart); - /// - /// process.entry_leader.parent.process.thread.id - /// Thread ID. - /// 4242 - /// - public static string ProcessEntryLeaderParentProcessThreadId = nameof(ProcessEntryLeaderParentProcessThreadId); - /// - /// process.entry_leader.parent.process.thread.name - /// Thread name. - /// thread-0 - /// - public static string ProcessEntryLeaderParentProcessThreadName = nameof(ProcessEntryLeaderParentProcessThreadName); - /// - /// process.entry_leader.parent.process.title - /// Process title. - /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - /// - /// - public static string ProcessEntryLeaderParentProcessTitle = nameof(ProcessEntryLeaderParentProcessTitle); - /// - /// process.entry_leader.parent.process.uptime - /// Seconds the process has been up. - /// 1325 - /// - public static string ProcessEntryLeaderParentProcessUptime = nameof(ProcessEntryLeaderParentProcessUptime); - /// - /// process.entry_leader.parent.process.vpid - /// Virtual process id. - /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. - /// 4242 - /// - public static string ProcessEntryLeaderParentProcessVpid = nameof(ProcessEntryLeaderParentProcessVpid); - /// - /// process.entry_leader.parent.process.working_directory - /// The working directory of the process. - /// /home/alice - /// - public static string ProcessEntryLeaderParentProcessWorkingDirectory = nameof(ProcessEntryLeaderParentProcessWorkingDirectory); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.args_count - /// Length of the process.args array. - /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - /// 4 - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.command_line - /// Full command line that started the process, including the absolute path to the executable, and all arguments. - /// Some arguments may be filtered to protect sensitive information. - /// /usr/bin/ssh -l user 10.0.0.16 - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.end - /// The time the process ended. - /// 5/23/2016 8:05:34 AM - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.entity_id - /// Unique identifier for the process. - /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - /// c2c455d9f99375d - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.executable - /// Absolute path to the process executable. - /// /usr/bin/ssh - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.exit_code - /// The exit code of the process, if this is a termination event. - /// The field should be absent if there is no exit code for the event (e.g. process start). - /// 137 - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.interactive - /// Whether the process is connected to an interactive shell. - /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. - /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. - /// true - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.name - /// Process name. - /// Sometimes called program name or similar. - /// ssh - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.pgid - /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - /// Identifier of the group of processes the process belongs to. - /// - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.pid - /// Process id. - /// 4242 - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.start - /// The time the process started. - /// 5/23/2016 8:05:34 AM - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.id - /// Thread ID. - /// 4242 - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.name - /// Thread name. - /// thread-0 - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.title - /// Process title. - /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - /// - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.uptime - /// Seconds the process has been up. - /// 1325 - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.vpid - /// Virtual process id. - /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. - /// 4242 - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid); - /// - /// entry_leader.process.parent.entry_leader.parent.session_leader.process.working_directory - /// The working directory of the process. - /// /home/alice - /// - public static string EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory = nameof(EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory); - /// - /// process.session_leader.parent.process.args_count - /// Length of the process.args array. - /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - /// 4 - /// - public static string ProcessSessionLeaderParentProcessArgsCount = nameof(ProcessSessionLeaderParentProcessArgsCount); - /// - /// process.session_leader.parent.process.command_line - /// Full command line that started the process, including the absolute path to the executable, and all arguments. - /// Some arguments may be filtered to protect sensitive information. - /// /usr/bin/ssh -l user 10.0.0.16 - /// - public static string ProcessSessionLeaderParentProcessCommandLine = nameof(ProcessSessionLeaderParentProcessCommandLine); - /// - /// process.session_leader.parent.process.end - /// The time the process ended. - /// 5/23/2016 8:05:34 AM - /// - public static string ProcessSessionLeaderParentProcessEnd = nameof(ProcessSessionLeaderParentProcessEnd); - /// - /// process.session_leader.parent.process.entity_id - /// Unique identifier for the process. - /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - /// c2c455d9f99375d - /// - public static string ProcessSessionLeaderParentProcessEntityId = nameof(ProcessSessionLeaderParentProcessEntityId); - /// - /// process.session_leader.parent.process.executable - /// Absolute path to the process executable. - /// /usr/bin/ssh - /// - public static string ProcessSessionLeaderParentProcessExecutable = nameof(ProcessSessionLeaderParentProcessExecutable); - /// - /// process.session_leader.parent.process.exit_code - /// The exit code of the process, if this is a termination event. - /// The field should be absent if there is no exit code for the event (e.g. process start). - /// 137 - /// - public static string ProcessSessionLeaderParentProcessExitCode = nameof(ProcessSessionLeaderParentProcessExitCode); - /// - /// process.session_leader.parent.process.interactive - /// Whether the process is connected to an interactive shell. - /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. - /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. - /// true - /// - public static string ProcessSessionLeaderParentProcessInteractive = nameof(ProcessSessionLeaderParentProcessInteractive); - /// - /// process.session_leader.parent.process.name - /// Process name. - /// Sometimes called program name or similar. - /// ssh - /// - public static string ProcessSessionLeaderParentProcessName = nameof(ProcessSessionLeaderParentProcessName); - /// - /// process.session_leader.parent.process.pgid - /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - /// Identifier of the group of processes the process belongs to. - /// - /// - public static string ProcessSessionLeaderParentProcessPgid = nameof(ProcessSessionLeaderParentProcessPgid); - /// - /// process.session_leader.parent.process.pid - /// Process id. - /// 4242 - /// - public static string ProcessSessionLeaderParentProcessPid = nameof(ProcessSessionLeaderParentProcessPid); - /// - /// process.session_leader.parent.process.start - /// The time the process started. - /// 5/23/2016 8:05:34 AM - /// - public static string ProcessSessionLeaderParentProcessStart = nameof(ProcessSessionLeaderParentProcessStart); - /// - /// process.session_leader.parent.process.thread.id - /// Thread ID. - /// 4242 - /// - public static string ProcessSessionLeaderParentProcessThreadId = nameof(ProcessSessionLeaderParentProcessThreadId); - /// - /// process.session_leader.parent.process.thread.name - /// Thread name. - /// thread-0 - /// - public static string ProcessSessionLeaderParentProcessThreadName = nameof(ProcessSessionLeaderParentProcessThreadName); - /// - /// process.session_leader.parent.process.title - /// Process title. - /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - /// + /// process.real_user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High /// - public static string ProcessSessionLeaderParentProcessTitle = nameof(ProcessSessionLeaderParentProcessTitle); + public static string ProcessRealUserRiskCalculatedLevel = nameof(ProcessRealUserRiskCalculatedLevel); /// - /// process.session_leader.parent.process.uptime - /// Seconds the process has been up. - /// 1325 + /// process.real_user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 /// - public static string ProcessSessionLeaderParentProcessUptime = nameof(ProcessSessionLeaderParentProcessUptime); + public static string ProcessRealUserRiskCalculatedScore = nameof(ProcessRealUserRiskCalculatedScore); /// - /// process.session_leader.parent.process.vpid - /// Virtual process id. - /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. - /// 4242 + /// process.real_user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 /// - public static string ProcessSessionLeaderParentProcessVpid = nameof(ProcessSessionLeaderParentProcessVpid); + public static string ProcessRealUserRiskCalculatedScoreNorm = nameof(ProcessRealUserRiskCalculatedScoreNorm); /// - /// process.session_leader.parent.process.working_directory - /// The working directory of the process. - /// /home/alice + /// process.real_user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High /// - public static string ProcessSessionLeaderParentProcessWorkingDirectory = nameof(ProcessSessionLeaderParentProcessWorkingDirectory); + public static string ProcessRealUserRiskStaticLevel = nameof(ProcessRealUserRiskStaticLevel); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.args_count - /// Length of the process.args array. - /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - /// 4 + /// process.real_user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount); + public static string ProcessRealUserRiskStaticScore = nameof(ProcessRealUserRiskStaticScore); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.command_line - /// Full command line that started the process, including the absolute path to the executable, and all arguments. - /// Some arguments may be filtered to protect sensitive information. - /// /usr/bin/ssh -l user 10.0.0.16 + /// process.real_user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine); + public static string ProcessRealUserRiskStaticScoreNorm = nameof(ProcessRealUserRiskStaticScoreNorm); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.end - /// The time the process ended. - /// 5/23/2016 8:05:34 AM + /// process.attested_user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd); + public static string ProcessAttestedUserDomain = nameof(ProcessAttestedUserDomain); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.entity_id - /// Unique identifier for the process. - /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - /// c2c455d9f99375d + /// process.attested_user.email + /// User email address. + /// /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId); + public static string ProcessAttestedUserEmail = nameof(ProcessAttestedUserEmail); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.executable - /// Absolute path to the process executable. - /// /usr/bin/ssh + /// process.attested_user.full_name + /// User's full name, if available. + /// Albert Einstein /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable); + public static string ProcessAttestedUserFullName = nameof(ProcessAttestedUserFullName); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.exit_code - /// The exit code of the process, if this is a termination event. - /// The field should be absent if there is no exit code for the event (e.g. process start). - /// 137 + /// process.attested_user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode); + public static string ProcessAttestedUserHash = nameof(ProcessAttestedUserHash); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.interactive - /// Whether the process is connected to an interactive shell. - /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. - /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. - /// true + /// process.attested_user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive); + public static string ProcessAttestedUserId = nameof(ProcessAttestedUserId); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.name - /// Process name. - /// Sometimes called program name or similar. - /// ssh + /// process.attested_user.name + /// Short name or login of the user. + /// a.einstein /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName); + public static string ProcessAttestedUserName = nameof(ProcessAttestedUserName); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.pgid - /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - /// Identifier of the group of processes the process belongs to. + /// process.attested_user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. /// /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid); + public static string ProcessAttestedUserGroupDomain = nameof(ProcessAttestedUserGroupDomain); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.pid - /// Process id. - /// 4242 + /// process.attested_user.group.id + /// Unique identifier for the group on the system/platform. + /// /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid); + public static string ProcessAttestedUserGroupId = nameof(ProcessAttestedUserGroupId); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.start - /// The time the process started. - /// 5/23/2016 8:05:34 AM + /// process.attested_user.group.name + /// Name of the group. + /// /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart); + public static string ProcessAttestedUserGroupName = nameof(ProcessAttestedUserGroupName); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.thread.id - /// Thread ID. - /// 4242 + /// process.attested_user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId); + public static string ProcessAttestedUserRiskCalculatedLevel = nameof(ProcessAttestedUserRiskCalculatedLevel); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.thread.name - /// Thread name. - /// thread-0 + /// process.attested_user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName); + public static string ProcessAttestedUserRiskCalculatedScore = nameof(ProcessAttestedUserRiskCalculatedScore); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.title - /// Process title. - /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - /// + /// process.attested_user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle); + public static string ProcessAttestedUserRiskCalculatedScoreNorm = nameof(ProcessAttestedUserRiskCalculatedScoreNorm); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.uptime - /// Seconds the process has been up. - /// 1325 + /// process.attested_user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime); + public static string ProcessAttestedUserRiskStaticLevel = nameof(ProcessAttestedUserRiskStaticLevel); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.vpid - /// Virtual process id. - /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. - /// 4242 + /// process.attested_user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid); + public static string ProcessAttestedUserRiskStaticScore = nameof(ProcessAttestedUserRiskStaticScore); /// - /// session_leader.process.parent.session_leader.parent.session_leader.process.working_directory - /// The working directory of the process. - /// /home/alice + /// process.attested_user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 /// - public static string SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory = nameof(SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory); + public static string ProcessAttestedUserRiskStaticScoreNorm = nameof(ProcessAttestedUserRiskStaticScoreNorm); /// /// registry.data.bytes /// Original bytes written with base64 encoding. @@ -5390,6 +4842,12 @@ public static class LogTemplateProperties /// public static string ServerGeoCountryName = nameof(ServerGeoCountryName); /// + /// server.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string ServerGeoLocation = nameof(ServerGeoLocation); + /// /// server.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -5516,44 +4974,6 @@ public static class LogTemplateProperties /// public static string ServerUserRiskStaticScoreNorm = nameof(ServerUserRiskStaticScoreNorm); /// - /// server.user.target.user.domain - /// Name of the directory the user is a member of. - /// For example, an LDAP or Active Directory domain name. - /// - /// - public static string ServerUserTargetUserDomain = nameof(ServerUserTargetUserDomain); - /// - /// server.user.target.user.email - /// User email address. - /// - /// - public static string ServerUserTargetUserEmail = nameof(ServerUserTargetUserEmail); - /// - /// server.user.target.user.full_name - /// User's full name, if available. - /// Albert Einstein - /// - public static string ServerUserTargetUserFullName = nameof(ServerUserTargetUserFullName); - /// - /// server.user.target.user.hash - /// Unique user hash to correlate information for a user in anonymized form. - /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. - /// - /// - public static string ServerUserTargetUserHash = nameof(ServerUserTargetUserHash); - /// - /// server.user.target.user.id - /// Unique identifier of the user. - /// S-1-5-21-202424912787-2692429404-2351956786-1000 - /// - public static string ServerUserTargetUserId = nameof(ServerUserTargetUserId); - /// - /// server.user.target.user.name - /// Short name or login of the user. - /// a.einstein - /// - public static string ServerUserTargetUserName = nameof(ServerUserTargetUserName); - /// /// service.address /// Address where data about this service was collected from. /// This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). @@ -5632,84 +5052,6 @@ public static class LogTemplateProperties /// public static string ServiceVersion = nameof(ServiceVersion); /// - /// origin.service.address - /// Address where data about this service was collected from. - /// This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - /// 172.26.0.2:5432 - /// - public static string OriginServiceAddress = nameof(OriginServiceAddress); - /// - /// origin.service.environment - /// Identifies the environment where the service is running. - /// If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. - ///
This field is beta and subject to change. - /// production - /// - public static string OriginServiceEnvironment = nameof(OriginServiceEnvironment); - /// - /// origin.service.ephemeral_id - /// Ephemeral identifier of this service (if one exists). - /// This id normally changes across restarts, but `service.id` does not. - /// 8a4f500f - /// - public static string OriginServiceEphemeralId = nameof(OriginServiceEphemeralId); - /// - /// origin.service.id - /// Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. - /// This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. - /// Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - /// d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - /// - public static string OriginServiceId = nameof(OriginServiceId); - /// - /// origin.service.name - /// Name of the service data is collected from. - /// The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - /// In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - /// elasticsearch-metrics - /// - public static string OriginServiceName = nameof(OriginServiceName); - /// - /// origin.service.node.name - /// Name of a service node. - /// This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. - /// In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. - /// instance-0000000016 - /// - public static string OriginServiceNodeName = nameof(OriginServiceNodeName); - /// - /// origin.service.node.role - /// Deprecated for removal in next major version release. This field will be superseded by `node.roles`. - /// Role of a service node. - /// This allows for distinction between different running roles of the same service. - /// In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`. - /// In the case of Elasticsearch, the `service.node.role` could be `master` or `data`. - /// Other services could use this to distinguish between a `web` and `worker` role running as part of the service. - /// background_tasks - /// - public static string OriginServiceNodeRole = nameof(OriginServiceNodeRole); - /// - /// origin.service.state - /// Current state of the service. - /// - /// - public static string OriginServiceState = nameof(OriginServiceState); - /// - /// origin.service.type - /// The type of the service data is collected from. - /// The type can be used to group and correlate logs and metrics from one service type. - /// Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - /// elasticsearch - /// - public static string OriginServiceType = nameof(OriginServiceType); - /// - /// origin.service.version - /// Version of the service the data was collected from. - /// This allows to look at a data set only for a specific version of a service. - /// 3.2.4 - /// - public static string OriginServiceVersion = nameof(OriginServiceVersion); - /// /// source.address /// Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5834,6 +5176,12 @@ public static class LogTemplateProperties /// public static string SourceGeoCountryName = nameof(SourceGeoCountryName); /// + /// source.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string SourceGeoLocation = nameof(SourceGeoLocation); + /// /// source.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -5960,44 +5308,6 @@ public static class LogTemplateProperties /// public static string SourceUserRiskStaticScoreNorm = nameof(SourceUserRiskStaticScoreNorm); /// - /// source.user.target.user.domain - /// Name of the directory the user is a member of. - /// For example, an LDAP or Active Directory domain name. - /// - /// - public static string SourceUserTargetUserDomain = nameof(SourceUserTargetUserDomain); - /// - /// source.user.target.user.email - /// User email address. - /// - /// - public static string SourceUserTargetUserEmail = nameof(SourceUserTargetUserEmail); - /// - /// source.user.target.user.full_name - /// User's full name, if available. - /// Albert Einstein - /// - public static string SourceUserTargetUserFullName = nameof(SourceUserTargetUserFullName); - /// - /// source.user.target.user.hash - /// Unique user hash to correlate information for a user in anonymized form. - /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. - /// - /// - public static string SourceUserTargetUserHash = nameof(SourceUserTargetUserHash); - /// - /// source.user.target.user.id - /// Unique identifier of the user. - /// S-1-5-21-202424912787-2692429404-2351956786-1000 - /// - public static string SourceUserTargetUserId = nameof(SourceUserTargetUserId); - /// - /// source.user.target.user.name - /// Short name or login of the user. - /// a.einstein - /// - public static string SourceUserTargetUserName = nameof(SourceUserTargetUserName); - /// /// threat.feed.dashboard_id /// The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. /// 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f @@ -6913,6 +6223,12 @@ public static class LogTemplateProperties /// public static string ThreatIndicatorGeoCountryName = nameof(ThreatIndicatorGeoCountryName); /// + /// threat.indicator.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string ThreatIndicatorGeoLocation = nameof(ThreatIndicatorGeoLocation); + /// /// threat.indicator.geo.name /// User-defined description of a location, at the level of granularity they care about. /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -7495,44 +6811,6 @@ public static class LogTemplateProperties /// public static string UserRiskStaticScoreNorm = nameof(UserRiskStaticScoreNorm); /// - /// target.user.domain - /// Name of the directory the user is a member of. - /// For example, an LDAP or Active Directory domain name. - /// - /// - public static string TargetUserDomain = nameof(TargetUserDomain); - /// - /// target.user.email - /// User email address. - /// - /// - public static string TargetUserEmail = nameof(TargetUserEmail); - /// - /// target.user.full_name - /// User's full name, if available. - /// Albert Einstein - /// - public static string TargetUserFullName = nameof(TargetUserFullName); - /// - /// target.user.hash - /// Unique user hash to correlate information for a user in anonymized form. - /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. - /// - /// - public static string TargetUserHash = nameof(TargetUserHash); - /// - /// target.user.id - /// Unique identifier of the user. - /// S-1-5-21-202424912787-2692429404-2351956786-1000 - /// - public static string TargetUserId = nameof(TargetUserId); - /// - /// target.user.name - /// Short name or login of the user. - /// a.einstein - /// - public static string TargetUserName = nameof(TargetUserName); - /// /// user_agent.device.name /// Name of the device. /// iPhone @@ -7799,6 +7077,7 @@ public static class LogTemplateProperties "client.geo.continent_name", ClientGeoContinentName, "client.geo.country_iso_code", ClientGeoCountryIsoCode, "client.geo.country_name", ClientGeoCountryName, + "client.geo.location", ClientGeoLocation, "client.geo.name", ClientGeoName, "client.geo.postal_code", ClientGeoPostalCode, "client.geo.region_iso_code", ClientGeoRegionIsoCode, @@ -7819,12 +7098,6 @@ public static class LogTemplateProperties "client.user.risk.static_level", ClientUserRiskStaticLevel, "client.user.risk.static_score", ClientUserRiskStaticScore, "client.user.risk.static_score_norm", ClientUserRiskStaticScoreNorm, - "client.user.target.user.domain", ClientUserTargetUserDomain, - "client.user.target.user.email", ClientUserTargetUserEmail, - "client.user.target.user.full_name", ClientUserTargetUserFullName, - "client.user.target.user.hash", ClientUserTargetUserHash, - "client.user.target.user.id", ClientUserTargetUserId, - "client.user.target.user.name", ClientUserTargetUserName, "cloud.account.id", CloudAccountId, "cloud.account.name", CloudAccountName, "cloud.availability_zone", CloudAvailabilityZone, @@ -7836,17 +7109,6 @@ public static class LogTemplateProperties "cloud.provider", CloudProvider, "cloud.region", CloudRegion, "cloud.service.name", CloudServiceName, - "origin.cloud.account.id", OriginCloudAccountId, - "origin.cloud.account.name", OriginCloudAccountName, - "origin.cloud.availability_zone", OriginCloudAvailabilityZone, - "origin.cloud.instance.id", OriginCloudInstanceId, - "origin.cloud.instance.name", OriginCloudInstanceName, - "origin.cloud.machine.type", OriginCloudMachineType, - "origin.cloud.project.id", OriginCloudProjectId, - "origin.cloud.project.name", OriginCloudProjectName, - "origin.cloud.provider", OriginCloudProvider, - "origin.cloud.region", OriginCloudRegion, - "origin.cloud.service.name", OriginCloudServiceName, "code_signature.digest_algorithm", CodeSignatureDigestAlgorithm, "code_signature.exists", CodeSignatureExists, "code_signature.signing_id", CodeSignatureSigningId, @@ -7889,6 +7151,7 @@ public static class LogTemplateProperties "destination.geo.continent_name", DestinationGeoContinentName, "destination.geo.country_iso_code", DestinationGeoCountryIsoCode, "destination.geo.country_name", DestinationGeoCountryName, + "destination.geo.location", DestinationGeoLocation, "destination.geo.name", DestinationGeoName, "destination.geo.postal_code", DestinationGeoPostalCode, "destination.geo.region_iso_code", DestinationGeoRegionIsoCode, @@ -7909,12 +7172,6 @@ public static class LogTemplateProperties "destination.user.risk.static_level", DestinationUserRiskStaticLevel, "destination.user.risk.static_score", DestinationUserRiskStaticScore, "destination.user.risk.static_score_norm", DestinationUserRiskStaticScoreNorm, - "destination.user.target.user.domain", DestinationUserTargetUserDomain, - "destination.user.target.user.email", DestinationUserTargetUserEmail, - "destination.user.target.user.full_name", DestinationUserTargetUserFullName, - "destination.user.target.user.hash", DestinationUserTargetUserHash, - "destination.user.target.user.id", DestinationUserTargetUserId, - "destination.user.target.user.name", DestinationUserTargetUserName, "device.id", DeviceId, "device.manufacturer", DeviceManufacturer, "device.model.identifier", DeviceModelIdentifier, @@ -8129,6 +7386,7 @@ public static class LogTemplateProperties "geo.continent_name", GeoContinentName, "geo.country_iso_code", GeoCountryIsoCode, "geo.country_name", GeoCountryName, + "geo.location", GeoLocation, "geo.name", GeoName, "geo.postal_code", GeoPostalCode, "geo.region_iso_code", GeoRegionIsoCode, @@ -8165,6 +7423,7 @@ public static class LogTemplateProperties "host.geo.continent_name", HostGeoContinentName, "host.geo.country_iso_code", HostGeoCountryIsoCode, "host.geo.country_name", HostGeoCountryName, + "host.geo.location", HostGeoLocation, "host.geo.name", HostGeoName, "host.geo.postal_code", HostGeoPostalCode, "host.geo.region_iso_code", HostGeoRegionIsoCode, @@ -8239,6 +7498,7 @@ public static class LogTemplateProperties "observer.geo.continent_name", ObserverGeoContinentName, "observer.geo.country_iso_code", ObserverGeoCountryIsoCode, "observer.geo.country_name", ObserverGeoCountryName, + "observer.geo.location", ObserverGeoLocation, "observer.geo.name", ObserverGeoName, "observer.geo.postal_code", ObserverGeoPostalCode, "observer.geo.region_iso_code", ObserverGeoRegionIsoCode, @@ -8321,6 +7581,12 @@ public static class LogTemplateProperties "process.group.domain", ProcessGroupDomain, "process.group.id", ProcessGroupId, "process.group.name", ProcessGroupName, + "process.real_group.domain", ProcessRealGroupDomain, + "process.real_group.id", ProcessRealGroupId, + "process.real_group.name", ProcessRealGroupName, + "process.saved_group.domain", ProcessSavedGroupDomain, + "process.saved_group.id", ProcessSavedGroupId, + "process.saved_group.name", ProcessSavedGroupName, "process.hash.md5", ProcessHashMd5, "process.hash.sha1", ProcessHashSha1, "process.hash.sha256", ProcessHashSha256, @@ -8402,6 +7668,7 @@ public static class LogTemplateProperties "process.entry_meta.source.geo.continent_name", ProcessEntryMetaSourceGeoContinentName, "process.entry_meta.source.geo.country_iso_code", ProcessEntryMetaSourceGeoCountryIsoCode, "process.entry_meta.source.geo.country_name", ProcessEntryMetaSourceGeoCountryName, + "process.entry_meta.source.geo.location", ProcessEntryMetaSourceGeoLocation, "process.entry_meta.source.geo.name", ProcessEntryMetaSourceGeoName, "process.entry_meta.source.geo.postal_code", ProcessEntryMetaSourceGeoPostalCode, "process.entry_meta.source.geo.region_iso_code", ProcessEntryMetaSourceGeoRegionIsoCode, @@ -8422,12 +7689,6 @@ public static class LogTemplateProperties "process.entry_meta.source.user.risk.static_level", ProcessEntryMetaSourceUserRiskStaticLevel, "process.entry_meta.source.user.risk.static_score", ProcessEntryMetaSourceUserRiskStaticScore, "process.entry_meta.source.user.risk.static_score_norm", ProcessEntryMetaSourceUserRiskStaticScoreNorm, - "process.entry_meta.source.user.target.user.domain", ProcessEntryMetaSourceUserTargetUserDomain, - "process.entry_meta.source.user.target.user.email", ProcessEntryMetaSourceUserTargetUserEmail, - "process.entry_meta.source.user.target.user.full_name", ProcessEntryMetaSourceUserTargetUserFullName, - "process.entry_meta.source.user.target.user.hash", ProcessEntryMetaSourceUserTargetUserHash, - "process.entry_meta.source.user.target.user.id", ProcessEntryMetaSourceUserTargetUserId, - "process.entry_meta.source.user.target.user.name", ProcessEntryMetaSourceUserTargetUserName, "process.user.domain", ProcessUserDomain, "process.user.email", ProcessUserEmail, "process.user.full_name", ProcessUserFullName, @@ -8443,114 +7704,51 @@ public static class LogTemplateProperties "process.user.risk.static_level", ProcessUserRiskStaticLevel, "process.user.risk.static_score", ProcessUserRiskStaticScore, "process.user.risk.static_score_norm", ProcessUserRiskStaticScoreNorm, - "process.user.target.user.domain", ProcessUserTargetUserDomain, - "process.user.target.user.email", ProcessUserTargetUserEmail, - "process.user.target.user.full_name", ProcessUserTargetUserFullName, - "process.user.target.user.hash", ProcessUserTargetUserHash, - "process.user.target.user.id", ProcessUserTargetUserId, - "process.user.target.user.name", ProcessUserTargetUserName, - "parent.process.args_count", ParentProcessArgsCount, - "parent.process.command_line", ParentProcessCommandLine, - "parent.process.end", ParentProcessEnd, - "parent.process.entity_id", ParentProcessEntityId, - "parent.process.executable", ParentProcessExecutable, - "parent.process.exit_code", ParentProcessExitCode, - "parent.process.interactive", ParentProcessInteractive, - "parent.process.name", ParentProcessName, - "parent.process.pgid", ParentProcessPgid, - "parent.process.pid", ParentProcessPid, - "parent.process.start", ParentProcessStart, - "parent.process.thread.id", ParentProcessThreadId, - "parent.process.thread.name", ParentProcessThreadName, - "parent.process.title", ParentProcessTitle, - "parent.process.uptime", ParentProcessUptime, - "parent.process.vpid", ParentProcessVpid, - "parent.process.working_directory", ParentProcessWorkingDirectory, - "process.parent.group_leader.process.args_count", ProcessParentGroupLeaderProcessArgsCount, - "process.parent.group_leader.process.command_line", ProcessParentGroupLeaderProcessCommandLine, - "process.parent.group_leader.process.end", ProcessParentGroupLeaderProcessEnd, - "process.parent.group_leader.process.entity_id", ProcessParentGroupLeaderProcessEntityId, - "process.parent.group_leader.process.executable", ProcessParentGroupLeaderProcessExecutable, - "process.parent.group_leader.process.exit_code", ProcessParentGroupLeaderProcessExitCode, - "process.parent.group_leader.process.interactive", ProcessParentGroupLeaderProcessInteractive, - "process.parent.group_leader.process.name", ProcessParentGroupLeaderProcessName, - "process.parent.group_leader.process.pgid", ProcessParentGroupLeaderProcessPgid, - "process.parent.group_leader.process.pid", ProcessParentGroupLeaderProcessPid, - "process.parent.group_leader.process.start", ProcessParentGroupLeaderProcessStart, - "process.parent.group_leader.process.thread.id", ProcessParentGroupLeaderProcessThreadId, - "process.parent.group_leader.process.thread.name", ProcessParentGroupLeaderProcessThreadName, - "process.parent.group_leader.process.title", ProcessParentGroupLeaderProcessTitle, - "process.parent.group_leader.process.uptime", ProcessParentGroupLeaderProcessUptime, - "process.parent.group_leader.process.vpid", ProcessParentGroupLeaderProcessVpid, - "process.parent.group_leader.process.working_directory", ProcessParentGroupLeaderProcessWorkingDirectory, - "process.entry_leader.parent.process.args_count", ProcessEntryLeaderParentProcessArgsCount, - "process.entry_leader.parent.process.command_line", ProcessEntryLeaderParentProcessCommandLine, - "process.entry_leader.parent.process.end", ProcessEntryLeaderParentProcessEnd, - "process.entry_leader.parent.process.entity_id", ProcessEntryLeaderParentProcessEntityId, - "process.entry_leader.parent.process.executable", ProcessEntryLeaderParentProcessExecutable, - "process.entry_leader.parent.process.exit_code", ProcessEntryLeaderParentProcessExitCode, - "process.entry_leader.parent.process.interactive", ProcessEntryLeaderParentProcessInteractive, - "process.entry_leader.parent.process.name", ProcessEntryLeaderParentProcessName, - "process.entry_leader.parent.process.pgid", ProcessEntryLeaderParentProcessPgid, - "process.entry_leader.parent.process.pid", ProcessEntryLeaderParentProcessPid, - "process.entry_leader.parent.process.start", ProcessEntryLeaderParentProcessStart, - "process.entry_leader.parent.process.thread.id", ProcessEntryLeaderParentProcessThreadId, - "process.entry_leader.parent.process.thread.name", ProcessEntryLeaderParentProcessThreadName, - "process.entry_leader.parent.process.title", ProcessEntryLeaderParentProcessTitle, - "process.entry_leader.parent.process.uptime", ProcessEntryLeaderParentProcessUptime, - "process.entry_leader.parent.process.vpid", ProcessEntryLeaderParentProcessVpid, - "process.entry_leader.parent.process.working_directory", ProcessEntryLeaderParentProcessWorkingDirectory, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.args_count", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.command_line", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.end", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.entity_id", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.executable", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.exit_code", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.interactive", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.name", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.pgid", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.pid", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.start", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.id", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.name", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.title", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.uptime", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.vpid", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid, - "entry_leader.process.parent.entry_leader.parent.session_leader.process.working_directory", EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory, - "process.session_leader.parent.process.args_count", ProcessSessionLeaderParentProcessArgsCount, - "process.session_leader.parent.process.command_line", ProcessSessionLeaderParentProcessCommandLine, - "process.session_leader.parent.process.end", ProcessSessionLeaderParentProcessEnd, - "process.session_leader.parent.process.entity_id", ProcessSessionLeaderParentProcessEntityId, - "process.session_leader.parent.process.executable", ProcessSessionLeaderParentProcessExecutable, - "process.session_leader.parent.process.exit_code", ProcessSessionLeaderParentProcessExitCode, - "process.session_leader.parent.process.interactive", ProcessSessionLeaderParentProcessInteractive, - "process.session_leader.parent.process.name", ProcessSessionLeaderParentProcessName, - "process.session_leader.parent.process.pgid", ProcessSessionLeaderParentProcessPgid, - "process.session_leader.parent.process.pid", ProcessSessionLeaderParentProcessPid, - "process.session_leader.parent.process.start", ProcessSessionLeaderParentProcessStart, - "process.session_leader.parent.process.thread.id", ProcessSessionLeaderParentProcessThreadId, - "process.session_leader.parent.process.thread.name", ProcessSessionLeaderParentProcessThreadName, - "process.session_leader.parent.process.title", ProcessSessionLeaderParentProcessTitle, - "process.session_leader.parent.process.uptime", ProcessSessionLeaderParentProcessUptime, - "process.session_leader.parent.process.vpid", ProcessSessionLeaderParentProcessVpid, - "process.session_leader.parent.process.working_directory", ProcessSessionLeaderParentProcessWorkingDirectory, - "session_leader.process.parent.session_leader.parent.session_leader.process.args_count", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount, - "session_leader.process.parent.session_leader.parent.session_leader.process.command_line", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine, - "session_leader.process.parent.session_leader.parent.session_leader.process.end", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd, - "session_leader.process.parent.session_leader.parent.session_leader.process.entity_id", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId, - "session_leader.process.parent.session_leader.parent.session_leader.process.executable", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable, - "session_leader.process.parent.session_leader.parent.session_leader.process.exit_code", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode, - "session_leader.process.parent.session_leader.parent.session_leader.process.interactive", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive, - "session_leader.process.parent.session_leader.parent.session_leader.process.name", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName, - "session_leader.process.parent.session_leader.parent.session_leader.process.pgid", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid, - "session_leader.process.parent.session_leader.parent.session_leader.process.pid", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid, - "session_leader.process.parent.session_leader.parent.session_leader.process.start", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart, - "session_leader.process.parent.session_leader.parent.session_leader.process.thread.id", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId, - "session_leader.process.parent.session_leader.parent.session_leader.process.thread.name", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName, - "session_leader.process.parent.session_leader.parent.session_leader.process.title", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle, - "session_leader.process.parent.session_leader.parent.session_leader.process.uptime", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime, - "session_leader.process.parent.session_leader.parent.session_leader.process.vpid", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid, - "session_leader.process.parent.session_leader.parent.session_leader.process.working_directory", SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory, + "process.saved_user.domain", ProcessSavedUserDomain, + "process.saved_user.email", ProcessSavedUserEmail, + "process.saved_user.full_name", ProcessSavedUserFullName, + "process.saved_user.hash", ProcessSavedUserHash, + "process.saved_user.id", ProcessSavedUserId, + "process.saved_user.name", ProcessSavedUserName, + "process.saved_user.group.domain", ProcessSavedUserGroupDomain, + "process.saved_user.group.id", ProcessSavedUserGroupId, + "process.saved_user.group.name", ProcessSavedUserGroupName, + "process.saved_user.risk.calculated_level", ProcessSavedUserRiskCalculatedLevel, + "process.saved_user.risk.calculated_score", ProcessSavedUserRiskCalculatedScore, + "process.saved_user.risk.calculated_score_norm", ProcessSavedUserRiskCalculatedScoreNorm, + "process.saved_user.risk.static_level", ProcessSavedUserRiskStaticLevel, + "process.saved_user.risk.static_score", ProcessSavedUserRiskStaticScore, + "process.saved_user.risk.static_score_norm", ProcessSavedUserRiskStaticScoreNorm, + "process.real_user.domain", ProcessRealUserDomain, + "process.real_user.email", ProcessRealUserEmail, + "process.real_user.full_name", ProcessRealUserFullName, + "process.real_user.hash", ProcessRealUserHash, + "process.real_user.id", ProcessRealUserId, + "process.real_user.name", ProcessRealUserName, + "process.real_user.group.domain", ProcessRealUserGroupDomain, + "process.real_user.group.id", ProcessRealUserGroupId, + "process.real_user.group.name", ProcessRealUserGroupName, + "process.real_user.risk.calculated_level", ProcessRealUserRiskCalculatedLevel, + "process.real_user.risk.calculated_score", ProcessRealUserRiskCalculatedScore, + "process.real_user.risk.calculated_score_norm", ProcessRealUserRiskCalculatedScoreNorm, + "process.real_user.risk.static_level", ProcessRealUserRiskStaticLevel, + "process.real_user.risk.static_score", ProcessRealUserRiskStaticScore, + "process.real_user.risk.static_score_norm", ProcessRealUserRiskStaticScoreNorm, + "process.attested_user.domain", ProcessAttestedUserDomain, + "process.attested_user.email", ProcessAttestedUserEmail, + "process.attested_user.full_name", ProcessAttestedUserFullName, + "process.attested_user.hash", ProcessAttestedUserHash, + "process.attested_user.id", ProcessAttestedUserId, + "process.attested_user.name", ProcessAttestedUserName, + "process.attested_user.group.domain", ProcessAttestedUserGroupDomain, + "process.attested_user.group.id", ProcessAttestedUserGroupId, + "process.attested_user.group.name", ProcessAttestedUserGroupName, + "process.attested_user.risk.calculated_level", ProcessAttestedUserRiskCalculatedLevel, + "process.attested_user.risk.calculated_score", ProcessAttestedUserRiskCalculatedScore, + "process.attested_user.risk.calculated_score_norm", ProcessAttestedUserRiskCalculatedScoreNorm, + "process.attested_user.risk.static_level", ProcessAttestedUserRiskStaticLevel, + "process.attested_user.risk.static_score", ProcessAttestedUserRiskStaticScore, + "process.attested_user.risk.static_score_norm", ProcessAttestedUserRiskStaticScoreNorm, "registry.data.bytes", RegistryDataBytes, "registry.data.type", RegistryDataType, "registry.hive", RegistryHive, @@ -8591,6 +7789,7 @@ public static class LogTemplateProperties "server.geo.continent_name", ServerGeoContinentName, "server.geo.country_iso_code", ServerGeoCountryIsoCode, "server.geo.country_name", ServerGeoCountryName, + "server.geo.location", ServerGeoLocation, "server.geo.name", ServerGeoName, "server.geo.postal_code", ServerGeoPostalCode, "server.geo.region_iso_code", ServerGeoRegionIsoCode, @@ -8611,12 +7810,6 @@ public static class LogTemplateProperties "server.user.risk.static_level", ServerUserRiskStaticLevel, "server.user.risk.static_score", ServerUserRiskStaticScore, "server.user.risk.static_score_norm", ServerUserRiskStaticScoreNorm, - "server.user.target.user.domain", ServerUserTargetUserDomain, - "server.user.target.user.email", ServerUserTargetUserEmail, - "server.user.target.user.full_name", ServerUserTargetUserFullName, - "server.user.target.user.hash", ServerUserTargetUserHash, - "server.user.target.user.id", ServerUserTargetUserId, - "server.user.target.user.name", ServerUserTargetUserName, "service.address", ServiceAddress, "service.environment", ServiceEnvironment, "service.ephemeral_id", ServiceEphemeralId, @@ -8627,16 +7820,6 @@ public static class LogTemplateProperties "service.state", ServiceState, "service.type", ServiceType, "service.version", ServiceVersion, - "origin.service.address", OriginServiceAddress, - "origin.service.environment", OriginServiceEnvironment, - "origin.service.ephemeral_id", OriginServiceEphemeralId, - "origin.service.id", OriginServiceId, - "origin.service.name", OriginServiceName, - "origin.service.node.name", OriginServiceNodeName, - "origin.service.node.role", OriginServiceNodeRole, - "origin.service.state", OriginServiceState, - "origin.service.type", OriginServiceType, - "origin.service.version", OriginServiceVersion, "source.address", SourceAddress, "source.bytes", SourceBytes, "source.domain", SourceDomain, @@ -8656,6 +7839,7 @@ public static class LogTemplateProperties "source.geo.continent_name", SourceGeoContinentName, "source.geo.country_iso_code", SourceGeoCountryIsoCode, "source.geo.country_name", SourceGeoCountryName, + "source.geo.location", SourceGeoLocation, "source.geo.name", SourceGeoName, "source.geo.postal_code", SourceGeoPostalCode, "source.geo.region_iso_code", SourceGeoRegionIsoCode, @@ -8676,12 +7860,6 @@ public static class LogTemplateProperties "source.user.risk.static_level", SourceUserRiskStaticLevel, "source.user.risk.static_score", SourceUserRiskStaticScore, "source.user.risk.static_score_norm", SourceUserRiskStaticScoreNorm, - "source.user.target.user.domain", SourceUserTargetUserDomain, - "source.user.target.user.email", SourceUserTargetUserEmail, - "source.user.target.user.full_name", SourceUserTargetUserFullName, - "source.user.target.user.hash", SourceUserTargetUserHash, - "source.user.target.user.id", SourceUserTargetUserId, - "source.user.target.user.name", SourceUserTargetUserName, "threat.feed.dashboard_id", ThreatFeedDashboardId, "threat.feed.description", ThreatFeedDescription, "threat.feed.name", ThreatFeedName, @@ -8822,6 +8000,7 @@ public static class LogTemplateProperties "threat.indicator.geo.continent_name", ThreatIndicatorGeoContinentName, "threat.indicator.geo.country_iso_code", ThreatIndicatorGeoCountryIsoCode, "threat.indicator.geo.country_name", ThreatIndicatorGeoCountryName, + "threat.indicator.geo.location", ThreatIndicatorGeoLocation, "threat.indicator.geo.name", ThreatIndicatorGeoName, "threat.indicator.geo.postal_code", ThreatIndicatorGeoPostalCode, "threat.indicator.geo.region_iso_code", ThreatIndicatorGeoRegionIsoCode, @@ -8913,12 +8092,6 @@ public static class LogTemplateProperties "user.risk.static_level", UserRiskStaticLevel, "user.risk.static_score", UserRiskStaticScore, "user.risk.static_score_norm", UserRiskStaticScoreNorm, - "target.user.domain", TargetUserDomain, - "target.user.email", TargetUserEmail, - "target.user.full_name", TargetUserFullName, - "target.user.hash", TargetUserHash, - "target.user.id", TargetUserId, - "target.user.name", TargetUserName, "user_agent.device.name", UserAgentDeviceName, "user_agent.name", UserAgentName, "user_agent.original", UserAgentOriginal, diff --git a/src/Elastic.CommonSchema/PropDispatch.Generated.cs b/src/Elastic.CommonSchema/PropDispatch.Generated.cs index b7dea5e8..76239362 100644 --- a/src/Elastic.CommonSchema/PropDispatch.Generated.cs +++ b/src/Elastic.CommonSchema/PropDispatch.Generated.cs @@ -723,6 +723,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ClientGeoCountryIsoCode": case "client.geo.country_name": case "ClientGeoCountryName": + case "client.geo.location": + case "ClientGeoLocation": case "client.geo.name": case "ClientGeoName": case "client.geo.postal_code": @@ -763,18 +765,6 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ClientUserRiskStaticScore": case "client.user.risk.static_score_norm": case "ClientUserRiskStaticScoreNorm": - case "client.user.target.user.domain": - case "ClientUserTargetUserDomain": - case "client.user.target.user.email": - case "ClientUserTargetUserEmail": - case "client.user.target.user.full_name": - case "ClientUserTargetUserFullName": - case "client.user.target.user.hash": - case "ClientUserTargetUserHash": - case "client.user.target.user.id": - case "ClientUserTargetUserId": - case "client.user.target.user.name": - case "ClientUserTargetUserName": return TrySetClient(document, path, value); case "cloud.account.id": case "CloudAccountId": @@ -798,28 +788,6 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "CloudRegion": case "cloud.service.name": case "CloudServiceName": - case "origin.cloud.account.id": - case "OriginCloudAccountId": - case "origin.cloud.account.name": - case "OriginCloudAccountName": - case "origin.cloud.availability_zone": - case "OriginCloudAvailabilityZone": - case "origin.cloud.instance.id": - case "OriginCloudInstanceId": - case "origin.cloud.instance.name": - case "OriginCloudInstanceName": - case "origin.cloud.machine.type": - case "OriginCloudMachineType": - case "origin.cloud.project.id": - case "OriginCloudProjectId": - case "origin.cloud.project.name": - case "OriginCloudProjectName": - case "origin.cloud.provider": - case "OriginCloudProvider": - case "origin.cloud.region": - case "OriginCloudRegion": - case "origin.cloud.service.name": - case "OriginCloudServiceName": return TrySetCloud(document, path, value); case "code_signature.digest_algorithm": case "CodeSignatureDigestAlgorithm": @@ -908,6 +876,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "DestinationGeoCountryIsoCode": case "destination.geo.country_name": case "DestinationGeoCountryName": + case "destination.geo.location": + case "DestinationGeoLocation": case "destination.geo.name": case "DestinationGeoName": case "destination.geo.postal_code": @@ -948,18 +918,6 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "DestinationUserRiskStaticScore": case "destination.user.risk.static_score_norm": case "DestinationUserRiskStaticScoreNorm": - case "destination.user.target.user.domain": - case "DestinationUserTargetUserDomain": - case "destination.user.target.user.email": - case "DestinationUserTargetUserEmail": - case "destination.user.target.user.full_name": - case "DestinationUserTargetUserFullName": - case "destination.user.target.user.hash": - case "DestinationUserTargetUserHash": - case "destination.user.target.user.id": - case "DestinationUserTargetUserId": - case "destination.user.target.user.name": - case "DestinationUserTargetUserName": return TrySetDestination(document, path, value); case "device.id": case "DeviceId": @@ -1399,6 +1357,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "GeoCountryIsoCode": case "geo.country_name": case "GeoCountryName": + case "geo.location": + case "GeoLocation": case "geo.name": case "GeoName": case "geo.postal_code": @@ -1474,6 +1434,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "HostGeoCountryIsoCode": case "host.geo.country_name": case "HostGeoCountryName": + case "host.geo.location": + case "HostGeoLocation": case "host.geo.name": case "HostGeoName": case "host.geo.postal_code": @@ -1628,6 +1590,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ObserverGeoCountryIsoCode": case "observer.geo.country_name": case "ObserverGeoCountryName": + case "observer.geo.location": + case "ObserverGeoLocation": case "observer.geo.name": case "ObserverGeoName": case "observer.geo.postal_code": @@ -1798,6 +1762,18 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ProcessGroupId": case "process.group.name": case "ProcessGroupName": + case "process.real_group.domain": + case "ProcessRealGroupDomain": + case "process.real_group.id": + case "ProcessRealGroupId": + case "process.real_group.name": + case "ProcessRealGroupName": + case "process.saved_group.domain": + case "ProcessSavedGroupDomain": + case "process.saved_group.id": + case "ProcessSavedGroupId": + case "process.saved_group.name": + case "ProcessSavedGroupName": case "process.hash.md5": case "ProcessHashMd5": case "process.hash.sha1": @@ -1960,6 +1936,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ProcessEntryMetaSourceGeoCountryIsoCode": case "process.entry_meta.source.geo.country_name": case "ProcessEntryMetaSourceGeoCountryName": + case "process.entry_meta.source.geo.location": + case "ProcessEntryMetaSourceGeoLocation": case "process.entry_meta.source.geo.name": case "ProcessEntryMetaSourceGeoName": case "process.entry_meta.source.geo.postal_code": @@ -2000,18 +1978,6 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ProcessEntryMetaSourceUserRiskStaticScore": case "process.entry_meta.source.user.risk.static_score_norm": case "ProcessEntryMetaSourceUserRiskStaticScoreNorm": - case "process.entry_meta.source.user.target.user.domain": - case "ProcessEntryMetaSourceUserTargetUserDomain": - case "process.entry_meta.source.user.target.user.email": - case "ProcessEntryMetaSourceUserTargetUserEmail": - case "process.entry_meta.source.user.target.user.full_name": - case "ProcessEntryMetaSourceUserTargetUserFullName": - case "process.entry_meta.source.user.target.user.hash": - case "ProcessEntryMetaSourceUserTargetUserHash": - case "process.entry_meta.source.user.target.user.id": - case "ProcessEntryMetaSourceUserTargetUserId": - case "process.entry_meta.source.user.target.user.name": - case "ProcessEntryMetaSourceUserTargetUserName": case "process.user.domain": case "ProcessUserDomain": case "process.user.email": @@ -2042,222 +2008,96 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ProcessUserRiskStaticScore": case "process.user.risk.static_score_norm": case "ProcessUserRiskStaticScoreNorm": - case "process.user.target.user.domain": - case "ProcessUserTargetUserDomain": - case "process.user.target.user.email": - case "ProcessUserTargetUserEmail": - case "process.user.target.user.full_name": - case "ProcessUserTargetUserFullName": - case "process.user.target.user.hash": - case "ProcessUserTargetUserHash": - case "process.user.target.user.id": - case "ProcessUserTargetUserId": - case "process.user.target.user.name": - case "ProcessUserTargetUserName": - case "parent.process.args_count": - case "ParentProcessArgsCount": - case "parent.process.command_line": - case "ParentProcessCommandLine": - case "parent.process.end": - case "ParentProcessEnd": - case "parent.process.entity_id": - case "ParentProcessEntityId": - case "parent.process.executable": - case "ParentProcessExecutable": - case "parent.process.exit_code": - case "ParentProcessExitCode": - case "parent.process.interactive": - case "ParentProcessInteractive": - case "parent.process.name": - case "ParentProcessName": - case "parent.process.pgid": - case "ParentProcessPgid": - case "parent.process.pid": - case "ParentProcessPid": - case "parent.process.start": - case "ParentProcessStart": - case "parent.process.thread.id": - case "ParentProcessThreadId": - case "parent.process.thread.name": - case "ParentProcessThreadName": - case "parent.process.title": - case "ParentProcessTitle": - case "parent.process.uptime": - case "ParentProcessUptime": - case "parent.process.vpid": - case "ParentProcessVpid": - case "parent.process.working_directory": - case "ParentProcessWorkingDirectory": - case "process.parent.group_leader.process.args_count": - case "ProcessParentGroupLeaderProcessArgsCount": - case "process.parent.group_leader.process.command_line": - case "ProcessParentGroupLeaderProcessCommandLine": - case "process.parent.group_leader.process.end": - case "ProcessParentGroupLeaderProcessEnd": - case "process.parent.group_leader.process.entity_id": - case "ProcessParentGroupLeaderProcessEntityId": - case "process.parent.group_leader.process.executable": - case "ProcessParentGroupLeaderProcessExecutable": - case "process.parent.group_leader.process.exit_code": - case "ProcessParentGroupLeaderProcessExitCode": - case "process.parent.group_leader.process.interactive": - case "ProcessParentGroupLeaderProcessInteractive": - case "process.parent.group_leader.process.name": - case "ProcessParentGroupLeaderProcessName": - case "process.parent.group_leader.process.pgid": - case "ProcessParentGroupLeaderProcessPgid": - case "process.parent.group_leader.process.pid": - case "ProcessParentGroupLeaderProcessPid": - case "process.parent.group_leader.process.start": - case "ProcessParentGroupLeaderProcessStart": - case "process.parent.group_leader.process.thread.id": - case "ProcessParentGroupLeaderProcessThreadId": - case "process.parent.group_leader.process.thread.name": - case "ProcessParentGroupLeaderProcessThreadName": - case "process.parent.group_leader.process.title": - case "ProcessParentGroupLeaderProcessTitle": - case "process.parent.group_leader.process.uptime": - case "ProcessParentGroupLeaderProcessUptime": - case "process.parent.group_leader.process.vpid": - case "ProcessParentGroupLeaderProcessVpid": - case "process.parent.group_leader.process.working_directory": - case "ProcessParentGroupLeaderProcessWorkingDirectory": - case "process.entry_leader.parent.process.args_count": - case "ProcessEntryLeaderParentProcessArgsCount": - case "process.entry_leader.parent.process.command_line": - case "ProcessEntryLeaderParentProcessCommandLine": - case "process.entry_leader.parent.process.end": - case "ProcessEntryLeaderParentProcessEnd": - case "process.entry_leader.parent.process.entity_id": - case "ProcessEntryLeaderParentProcessEntityId": - case "process.entry_leader.parent.process.executable": - case "ProcessEntryLeaderParentProcessExecutable": - case "process.entry_leader.parent.process.exit_code": - case "ProcessEntryLeaderParentProcessExitCode": - case "process.entry_leader.parent.process.interactive": - case "ProcessEntryLeaderParentProcessInteractive": - case "process.entry_leader.parent.process.name": - case "ProcessEntryLeaderParentProcessName": - case "process.entry_leader.parent.process.pgid": - case "ProcessEntryLeaderParentProcessPgid": - case "process.entry_leader.parent.process.pid": - case "ProcessEntryLeaderParentProcessPid": - case "process.entry_leader.parent.process.start": - case "ProcessEntryLeaderParentProcessStart": - case "process.entry_leader.parent.process.thread.id": - case "ProcessEntryLeaderParentProcessThreadId": - case "process.entry_leader.parent.process.thread.name": - case "ProcessEntryLeaderParentProcessThreadName": - case "process.entry_leader.parent.process.title": - case "ProcessEntryLeaderParentProcessTitle": - case "process.entry_leader.parent.process.uptime": - case "ProcessEntryLeaderParentProcessUptime": - case "process.entry_leader.parent.process.vpid": - case "ProcessEntryLeaderParentProcessVpid": - case "process.entry_leader.parent.process.working_directory": - case "ProcessEntryLeaderParentProcessWorkingDirectory": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.args_count": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.command_line": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.end": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.entity_id": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.executable": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.exit_code": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.interactive": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.name": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.pgid": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.pid": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.start": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.id": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.name": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.title": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.uptime": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.vpid": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid": - case "entry_leader.process.parent.entry_leader.parent.session_leader.process.working_directory": - case "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory": - case "process.session_leader.parent.process.args_count": - case "ProcessSessionLeaderParentProcessArgsCount": - case "process.session_leader.parent.process.command_line": - case "ProcessSessionLeaderParentProcessCommandLine": - case "process.session_leader.parent.process.end": - case "ProcessSessionLeaderParentProcessEnd": - case "process.session_leader.parent.process.entity_id": - case "ProcessSessionLeaderParentProcessEntityId": - case "process.session_leader.parent.process.executable": - case "ProcessSessionLeaderParentProcessExecutable": - case "process.session_leader.parent.process.exit_code": - case "ProcessSessionLeaderParentProcessExitCode": - case "process.session_leader.parent.process.interactive": - case "ProcessSessionLeaderParentProcessInteractive": - case "process.session_leader.parent.process.name": - case "ProcessSessionLeaderParentProcessName": - case "process.session_leader.parent.process.pgid": - case "ProcessSessionLeaderParentProcessPgid": - case "process.session_leader.parent.process.pid": - case "ProcessSessionLeaderParentProcessPid": - case "process.session_leader.parent.process.start": - case "ProcessSessionLeaderParentProcessStart": - case "process.session_leader.parent.process.thread.id": - case "ProcessSessionLeaderParentProcessThreadId": - case "process.session_leader.parent.process.thread.name": - case "ProcessSessionLeaderParentProcessThreadName": - case "process.session_leader.parent.process.title": - case "ProcessSessionLeaderParentProcessTitle": - case "process.session_leader.parent.process.uptime": - case "ProcessSessionLeaderParentProcessUptime": - case "process.session_leader.parent.process.vpid": - case "ProcessSessionLeaderParentProcessVpid": - case "process.session_leader.parent.process.working_directory": - case "ProcessSessionLeaderParentProcessWorkingDirectory": - case "session_leader.process.parent.session_leader.parent.session_leader.process.args_count": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount": - case "session_leader.process.parent.session_leader.parent.session_leader.process.command_line": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine": - case "session_leader.process.parent.session_leader.parent.session_leader.process.end": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd": - case "session_leader.process.parent.session_leader.parent.session_leader.process.entity_id": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId": - case "session_leader.process.parent.session_leader.parent.session_leader.process.executable": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable": - case "session_leader.process.parent.session_leader.parent.session_leader.process.exit_code": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode": - case "session_leader.process.parent.session_leader.parent.session_leader.process.interactive": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive": - case "session_leader.process.parent.session_leader.parent.session_leader.process.name": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName": - case "session_leader.process.parent.session_leader.parent.session_leader.process.pgid": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid": - case "session_leader.process.parent.session_leader.parent.session_leader.process.pid": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid": - case "session_leader.process.parent.session_leader.parent.session_leader.process.start": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart": - case "session_leader.process.parent.session_leader.parent.session_leader.process.thread.id": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId": - case "session_leader.process.parent.session_leader.parent.session_leader.process.thread.name": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName": - case "session_leader.process.parent.session_leader.parent.session_leader.process.title": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle": - case "session_leader.process.parent.session_leader.parent.session_leader.process.uptime": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime": - case "session_leader.process.parent.session_leader.parent.session_leader.process.vpid": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid": - case "session_leader.process.parent.session_leader.parent.session_leader.process.working_directory": - case "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory": + case "process.saved_user.domain": + case "ProcessSavedUserDomain": + case "process.saved_user.email": + case "ProcessSavedUserEmail": + case "process.saved_user.full_name": + case "ProcessSavedUserFullName": + case "process.saved_user.hash": + case "ProcessSavedUserHash": + case "process.saved_user.id": + case "ProcessSavedUserId": + case "process.saved_user.name": + case "ProcessSavedUserName": + case "process.saved_user.group.domain": + case "ProcessSavedUserGroupDomain": + case "process.saved_user.group.id": + case "ProcessSavedUserGroupId": + case "process.saved_user.group.name": + case "ProcessSavedUserGroupName": + case "process.saved_user.risk.calculated_level": + case "ProcessSavedUserRiskCalculatedLevel": + case "process.saved_user.risk.calculated_score": + case "ProcessSavedUserRiskCalculatedScore": + case "process.saved_user.risk.calculated_score_norm": + case "ProcessSavedUserRiskCalculatedScoreNorm": + case "process.saved_user.risk.static_level": + case "ProcessSavedUserRiskStaticLevel": + case "process.saved_user.risk.static_score": + case "ProcessSavedUserRiskStaticScore": + case "process.saved_user.risk.static_score_norm": + case "ProcessSavedUserRiskStaticScoreNorm": + case "process.real_user.domain": + case "ProcessRealUserDomain": + case "process.real_user.email": + case "ProcessRealUserEmail": + case "process.real_user.full_name": + case "ProcessRealUserFullName": + case "process.real_user.hash": + case "ProcessRealUserHash": + case "process.real_user.id": + case "ProcessRealUserId": + case "process.real_user.name": + case "ProcessRealUserName": + case "process.real_user.group.domain": + case "ProcessRealUserGroupDomain": + case "process.real_user.group.id": + case "ProcessRealUserGroupId": + case "process.real_user.group.name": + case "ProcessRealUserGroupName": + case "process.real_user.risk.calculated_level": + case "ProcessRealUserRiskCalculatedLevel": + case "process.real_user.risk.calculated_score": + case "ProcessRealUserRiskCalculatedScore": + case "process.real_user.risk.calculated_score_norm": + case "ProcessRealUserRiskCalculatedScoreNorm": + case "process.real_user.risk.static_level": + case "ProcessRealUserRiskStaticLevel": + case "process.real_user.risk.static_score": + case "ProcessRealUserRiskStaticScore": + case "process.real_user.risk.static_score_norm": + case "ProcessRealUserRiskStaticScoreNorm": + case "process.attested_user.domain": + case "ProcessAttestedUserDomain": + case "process.attested_user.email": + case "ProcessAttestedUserEmail": + case "process.attested_user.full_name": + case "ProcessAttestedUserFullName": + case "process.attested_user.hash": + case "ProcessAttestedUserHash": + case "process.attested_user.id": + case "ProcessAttestedUserId": + case "process.attested_user.name": + case "ProcessAttestedUserName": + case "process.attested_user.group.domain": + case "ProcessAttestedUserGroupDomain": + case "process.attested_user.group.id": + case "ProcessAttestedUserGroupId": + case "process.attested_user.group.name": + case "ProcessAttestedUserGroupName": + case "process.attested_user.risk.calculated_level": + case "ProcessAttestedUserRiskCalculatedLevel": + case "process.attested_user.risk.calculated_score": + case "ProcessAttestedUserRiskCalculatedScore": + case "process.attested_user.risk.calculated_score_norm": + case "ProcessAttestedUserRiskCalculatedScoreNorm": + case "process.attested_user.risk.static_level": + case "ProcessAttestedUserRiskStaticLevel": + case "process.attested_user.risk.static_score": + case "ProcessAttestedUserRiskStaticScore": + case "process.attested_user.risk.static_score_norm": + case "ProcessAttestedUserRiskStaticScoreNorm": return TrySetProcess(document, path, value); case "registry.data.bytes": case "RegistryDataBytes": @@ -2342,6 +2182,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ServerGeoCountryIsoCode": case "server.geo.country_name": case "ServerGeoCountryName": + case "server.geo.location": + case "ServerGeoLocation": case "server.geo.name": case "ServerGeoName": case "server.geo.postal_code": @@ -2382,18 +2224,6 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ServerUserRiskStaticScore": case "server.user.risk.static_score_norm": case "ServerUserRiskStaticScoreNorm": - case "server.user.target.user.domain": - case "ServerUserTargetUserDomain": - case "server.user.target.user.email": - case "ServerUserTargetUserEmail": - case "server.user.target.user.full_name": - case "ServerUserTargetUserFullName": - case "server.user.target.user.hash": - case "ServerUserTargetUserHash": - case "server.user.target.user.id": - case "ServerUserTargetUserId": - case "server.user.target.user.name": - case "ServerUserTargetUserName": return TrySetServer(document, path, value); case "service.address": case "ServiceAddress": @@ -2415,26 +2245,6 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ServiceType": case "service.version": case "ServiceVersion": - case "origin.service.address": - case "OriginServiceAddress": - case "origin.service.environment": - case "OriginServiceEnvironment": - case "origin.service.ephemeral_id": - case "OriginServiceEphemeralId": - case "origin.service.id": - case "OriginServiceId": - case "origin.service.name": - case "OriginServiceName": - case "origin.service.node.name": - case "OriginServiceNodeName": - case "origin.service.node.role": - case "OriginServiceNodeRole": - case "origin.service.state": - case "OriginServiceState": - case "origin.service.type": - case "OriginServiceType": - case "origin.service.version": - case "OriginServiceVersion": return TrySetService(document, path, value); case "source.address": case "SourceAddress": @@ -2474,6 +2284,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "SourceGeoCountryIsoCode": case "source.geo.country_name": case "SourceGeoCountryName": + case "source.geo.location": + case "SourceGeoLocation": case "source.geo.name": case "SourceGeoName": case "source.geo.postal_code": @@ -2514,18 +2326,6 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "SourceUserRiskStaticScore": case "source.user.risk.static_score_norm": case "SourceUserRiskStaticScoreNorm": - case "source.user.target.user.domain": - case "SourceUserTargetUserDomain": - case "source.user.target.user.email": - case "SourceUserTargetUserEmail": - case "source.user.target.user.full_name": - case "SourceUserTargetUserFullName": - case "source.user.target.user.hash": - case "SourceUserTargetUserHash": - case "source.user.target.user.id": - case "SourceUserTargetUserId": - case "source.user.target.user.name": - case "SourceUserTargetUserName": return TrySetSource(document, path, value); case "threat.feed.dashboard_id": case "ThreatFeedDashboardId": @@ -2807,6 +2607,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ThreatIndicatorGeoCountryIsoCode": case "threat.indicator.geo.country_name": case "ThreatIndicatorGeoCountryName": + case "threat.indicator.geo.location": + case "ThreatIndicatorGeoLocation": case "threat.indicator.geo.name": case "ThreatIndicatorGeoName": case "threat.indicator.geo.postal_code": @@ -2992,18 +2794,6 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "UserRiskStaticScore": case "user.risk.static_score_norm": case "UserRiskStaticScoreNorm": - case "target.user.domain": - case "TargetUserDomain": - case "target.user.email": - case "TargetUserEmail": - case "target.user.full_name": - case "TargetUserFullName": - case "target.user.hash": - case "TargetUserHash": - case "target.user.id": - case "TargetUserId": - case "target.user.name": - case "TargetUserName": return TrySetUser(document, path, value); case "user_agent.device.name": case "UserAgentDeviceName": @@ -3187,72 +2977,62 @@ public static Func TryAssignClient(string path) "ClientSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "client.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "ClientTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "client.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), - "ClientAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), - "client.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), - "ClientAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), - "client.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "ClientGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "client.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "ClientGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "client.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "ClientGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "client.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "ClientGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "client.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "ClientGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "client.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "ClientGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "client.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "ClientGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "client.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "ClientGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "client.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "ClientGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "client.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "ClientGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "client.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "ClientUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "client.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "ClientUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "client.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "ClientUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "client.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "ClientUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "client.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "ClientUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "client.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "ClientUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "client.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "ClientUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "client.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "ClientUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "client.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "ClientUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "client.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "ClientUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "client.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "ClientUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "client.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "ClientUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "client.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "ClientUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "client.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "ClientUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "client.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "ClientUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "client.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "ClientUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "client.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "ClientUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "client.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "ClientUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "client.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "ClientUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "client.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "ClientUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "client.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), - "ClientUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "client.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "ClientAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "client.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "ClientAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "client.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "ClientGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "client.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "ClientGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "client.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "ClientGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "client.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "ClientGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "client.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "ClientGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "client.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "ClientGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "client.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "ClientGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "client.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "ClientGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "client.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "ClientGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "client.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "ClientGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "client.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "ClientGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "client.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "ClientUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "client.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "ClientUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "client.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "ClientUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "client.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "ClientUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "client.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "ClientUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "client.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "ClientUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "client.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "ClientUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "client.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "ClientUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "client.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "ClientUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "client.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "ClientUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "client.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "ClientUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "client.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "ClientUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "client.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "ClientUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "client.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "ClientUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "client.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "ClientUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), _ => null }; return assign; @@ -3294,28 +3074,6 @@ public static Func TryAssignCloud(string path) "CloudRegion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), "cloud.service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), - "origin.cloud.account.id" => static (e, v) => TryAssignCloudOrigin("cloud.account.id")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudAccountId" => static (e, v) => TryAssignCloudOrigin("cloud.account.id")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.account.name" => static (e, v) => TryAssignCloudOrigin("cloud.account.name")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudAccountName" => static (e, v) => TryAssignCloudOrigin("cloud.account.name")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.availability_zone" => static (e, v) => TryAssignCloudOrigin("cloud.availability_zone")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudAvailabilityZone" => static (e, v) => TryAssignCloudOrigin("cloud.availability_zone")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.instance.id" => static (e, v) => TryAssignCloudOrigin("cloud.instance.id")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudInstanceId" => static (e, v) => TryAssignCloudOrigin("cloud.instance.id")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.instance.name" => static (e, v) => TryAssignCloudOrigin("cloud.instance.name")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudInstanceName" => static (e, v) => TryAssignCloudOrigin("cloud.instance.name")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.machine.type" => static (e, v) => TryAssignCloudOrigin("cloud.machine.type")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudMachineType" => static (e, v) => TryAssignCloudOrigin("cloud.machine.type")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.project.id" => static (e, v) => TryAssignCloudOrigin("cloud.project.id")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudProjectId" => static (e, v) => TryAssignCloudOrigin("cloud.project.id")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.project.name" => static (e, v) => TryAssignCloudOrigin("cloud.project.name")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudProjectName" => static (e, v) => TryAssignCloudOrigin("cloud.project.name")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.provider" => static (e, v) => TryAssignCloudOrigin("cloud.provider")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudProvider" => static (e, v) => TryAssignCloudOrigin("cloud.provider")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.region" => static (e, v) => TryAssignCloudOrigin("cloud.region")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudRegion" => static (e, v) => TryAssignCloudOrigin("cloud.region")(e.Origin ?? new CloudOrigin(),v), - "origin.cloud.service.name" => static (e, v) => TryAssignCloudOrigin("cloud.service.name")(e.Origin ?? new CloudOrigin(),v), - "OriginCloudServiceName" => static (e, v) => TryAssignCloudOrigin("cloud.service.name")(e.Origin ?? new CloudOrigin(),v), _ => null }; return assign; @@ -3462,72 +3220,62 @@ public static Func TryAssignDestination(string path) "DestinationSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "destination.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "DestinationTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "destination.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), - "DestinationAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), - "destination.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), - "DestinationAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), - "destination.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "DestinationGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "destination.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "DestinationGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "destination.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "DestinationGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "destination.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "DestinationGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "destination.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "DestinationGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "destination.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "DestinationGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "destination.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "DestinationGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "destination.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "DestinationGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "destination.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "DestinationGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "destination.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "DestinationGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "destination.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "DestinationUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "destination.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "DestinationUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "destination.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "DestinationUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "destination.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "DestinationUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "destination.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "DestinationUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "destination.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "DestinationUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "destination.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "DestinationUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "destination.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "DestinationUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "destination.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "DestinationUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "destination.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "DestinationUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "destination.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "DestinationUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "destination.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "DestinationUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "destination.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "DestinationUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "destination.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "DestinationUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "destination.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "DestinationUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "destination.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "DestinationUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "destination.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "DestinationUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "destination.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "DestinationUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "destination.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "DestinationUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "destination.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "DestinationUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "destination.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), - "DestinationUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "destination.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "DestinationAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "destination.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "DestinationAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "destination.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "DestinationGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "destination.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "DestinationGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "destination.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "DestinationGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "destination.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "DestinationGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "destination.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "DestinationGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "destination.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "DestinationGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "destination.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "DestinationGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "destination.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "DestinationGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "destination.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "DestinationGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "destination.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "DestinationGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "destination.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "DestinationGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "destination.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "DestinationUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "destination.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "DestinationUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "destination.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "DestinationUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "destination.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "DestinationUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "destination.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "DestinationUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "destination.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "DestinationUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "destination.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "DestinationUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "destination.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "DestinationUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "destination.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "DestinationUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "destination.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "DestinationUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "destination.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "DestinationUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "destination.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "DestinationUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "destination.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "DestinationUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "destination.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "DestinationUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "destination.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "DestinationUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), _ => null }; return assign; @@ -3578,70 +3326,70 @@ public static Func TryAssignDll(string path) "DllName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "dll.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), "DllPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), - "dll.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), - "DllHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), - "dll.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), - "DllHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), - "dll.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), - "DllHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), - "dll.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), - "DllHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), - "dll.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), - "DllHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), - "dll.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), - "DllHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), - "dll.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), - "DllHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), - "dll.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), - "DllPeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), - "dll.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), - "DllPeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), - "dll.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), - "DllPeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), - "dll.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), - "DllPeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), - "dll.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), - "DllPeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), - "dll.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), - "DllPeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), - "dll.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), - "DllPeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), - "dll.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "DllPeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "dll.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), - "DllPeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), - "dll.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), - "DllPeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), - "dll.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), - "DllPeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), - "dll.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), - "DllPeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), - "dll.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "DllPeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "dll.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), - "DllPeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), - "dll.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), - "DllPePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), - "dll.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), - "DllPeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), - "dll.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), - "DllCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), - "dll.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), - "DllCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), - "dll.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), - "DllCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), - "dll.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), - "DllCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), - "dll.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), - "DllCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), - "dll.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), - "DllCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), - "dll.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), - "DllCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), - "dll.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), - "DllCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), - "dll.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), - "DllCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), + "dll.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "DllHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "dll.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "DllHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "dll.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "DllHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "dll.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "DllHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "dll.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "DllHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "dll.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "DllHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "dll.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "DllHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "dll.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "DllPeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "dll.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "DllPeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "dll.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "DllPeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "dll.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "DllPeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "dll.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "DllPeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "dll.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "DllPeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "dll.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "DllPeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "dll.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "DllPeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "dll.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "DllPeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "dll.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "DllPeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "dll.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "DllPeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "dll.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "DllPeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "dll.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "DllPeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "dll.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "DllPeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "dll.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "DllPePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "dll.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "DllPeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "dll.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), _ => null }; return assign; @@ -3990,152 +3738,152 @@ public static Func TryAssignFile(string path) "FileType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "file.uid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), "FileUid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), - "file.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), - "FileHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), - "file.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), - "FileHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), - "file.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), - "FileHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), - "file.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), - "FileHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), - "file.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), - "FileHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), - "file.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), - "FileHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), - "file.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), - "FileHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), - "file.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), - "FilePeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), - "file.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), - "FilePeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), - "file.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), - "FilePeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), - "file.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), - "FilePeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), - "file.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), - "FilePeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), - "file.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), - "FilePeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), - "file.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), - "FilePeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), - "file.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "FilePeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "file.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), - "FilePeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), - "file.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), - "FilePeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), - "file.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), - "FilePeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), - "file.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), - "FilePeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), - "file.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "FilePeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "file.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), - "FilePeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), - "file.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), - "FilePePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), - "file.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), - "FilePeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), - "file.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.X509 ?? new X509(),v), - "FileX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.X509 ?? new X509(),v), - "file.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.X509 ?? new X509(),v), - "FileX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.X509 ?? new X509(),v), - "file.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.X509 ?? new X509(),v), - "FileX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.X509 ?? new X509(),v), - "file.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.X509 ?? new X509(),v), - "FileX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.X509 ?? new X509(),v), - "file.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.X509 ?? new X509(),v), - "FileX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.X509 ?? new X509(),v), - "file.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.X509 ?? new X509(),v), - "FileX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.X509 ?? new X509(),v), - "file.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.X509 ?? new X509(),v), - "FileX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.X509 ?? new X509(),v), - "file.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.X509 ?? new X509(),v), - "FileX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.X509 ?? new X509(),v), - "file.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.X509 ?? new X509(),v), - "FileX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.X509 ?? new X509(),v), - "file.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.X509 ?? new X509(),v), - "FileX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.X509 ?? new X509(),v), - "file.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.X509 ?? new X509(),v), - "FileX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.X509 ?? new X509(),v), - "file.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), - "FileCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), - "file.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), - "FileCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), - "file.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), - "FileCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), - "file.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), - "FileCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), - "file.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), - "FileCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), - "file.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), - "FileCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), - "file.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), - "FileCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), - "file.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), - "FileCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), - "file.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), - "FileCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), - "file.elf.architecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ?? new Elf(),v), - "FileElfArchitecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ?? new Elf(),v), - "file.elf.byte_order" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ?? new Elf(),v), - "FileElfByteOrder" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ?? new Elf(),v), - "file.elf.cpu_type" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ?? new Elf(),v), - "FileElfCpuType" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ?? new Elf(),v), - "file.elf.creation_date" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ?? new Elf(),v), - "FileElfCreationDate" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ?? new Elf(),v), - "file.elf.go_import_hash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ?? new Elf(),v), - "FileElfGoImportHash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ?? new Elf(),v), - "file.elf.go_imports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ?? new Elf(),v), - "FileElfGoImports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ?? new Elf(),v), - "file.elf.go_imports_names_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ?? new Elf(),v), - "FileElfGoImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ?? new Elf(),v), - "file.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ?? new Elf(),v), - "FileElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ?? new Elf(),v), - "file.elf.go_stripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ?? new Elf(),v), - "FileElfGoStripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ?? new Elf(),v), - "file.elf.header.abi_version" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ?? new Elf(),v), - "FileElfHeaderAbiVersion" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ?? new Elf(),v), - "file.elf.header.class" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ?? new Elf(),v), - "FileElfHeaderClass" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ?? new Elf(),v), - "file.elf.header.data" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ?? new Elf(),v), - "FileElfHeaderData" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ?? new Elf(),v), - "file.elf.header.entrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ?? new Elf(),v), - "FileElfHeaderEntrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ?? new Elf(),v), - "file.elf.header.object_version" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ?? new Elf(),v), - "FileElfHeaderObjectVersion" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ?? new Elf(),v), - "file.elf.header.os_abi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ?? new Elf(),v), - "FileElfHeaderOsAbi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ?? new Elf(),v), - "file.elf.header.type" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ?? new Elf(),v), - "FileElfHeaderType" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ?? new Elf(),v), - "file.elf.header.version" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ?? new Elf(),v), - "FileElfHeaderVersion" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ?? new Elf(),v), - "file.elf.import_hash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ?? new Elf(),v), - "FileElfImportHash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ?? new Elf(),v), - "file.elf.imports_names_entropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ?? new Elf(),v), - "FileElfImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ?? new Elf(),v), - "file.elf.imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ?? new Elf(),v), - "FileElfImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ?? new Elf(),v), - "file.elf.telfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ?? new Elf(),v), - "FileElfTelfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ?? new Elf(),v), - "file.macho.go_import_hash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ?? new Macho(),v), - "FileMachoGoImportHash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ?? new Macho(),v), - "file.macho.go_imports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ?? new Macho(),v), - "FileMachoGoImports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ?? new Macho(),v), - "file.macho.go_imports_names_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ?? new Macho(),v), - "FileMachoGoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ?? new Macho(),v), - "file.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ?? new Macho(),v), - "FileMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ?? new Macho(),v), - "file.macho.go_stripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ?? new Macho(),v), - "FileMachoGoStripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ?? new Macho(),v), - "file.macho.import_hash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ?? new Macho(),v), - "FileMachoImportHash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ?? new Macho(),v), - "file.macho.imports_names_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ?? new Macho(),v), - "FileMachoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ?? new Macho(),v), - "file.macho.imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ?? new Macho(),v), - "FileMachoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ?? new Macho(),v), - "file.macho.symhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ?? new Macho(),v), - "FileMachoSymhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ?? new Macho(),v), + "file.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "FileHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "file.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "FileHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "file.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "FileHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "file.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "FileHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "file.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "FileHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "file.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "FileHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "file.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "FileHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "file.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "FilePeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "file.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "FilePeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "file.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "FilePeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "file.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "FilePeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "file.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "FilePeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "file.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "FilePeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "file.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "FilePeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "file.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "FilePeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "file.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "FilePeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "file.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "FilePeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "file.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "FilePeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "file.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "FilePeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "file.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "FilePeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "file.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "FilePeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "file.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "FilePePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "file.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "FilePeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "file.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.X509 ??= new X509(),v), + "FileX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.X509 ??= new X509(),v), + "file.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.X509 ??= new X509(),v), + "FileX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.X509 ??= new X509(),v), + "file.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.X509 ??= new X509(),v), + "FileX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.X509 ??= new X509(),v), + "file.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.X509 ??= new X509(),v), + "FileX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.X509 ??= new X509(),v), + "file.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.X509 ??= new X509(),v), + "FileX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.X509 ??= new X509(),v), + "file.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.X509 ??= new X509(),v), + "FileX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.X509 ??= new X509(),v), + "file.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.X509 ??= new X509(),v), + "FileX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.X509 ??= new X509(),v), + "file.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.X509 ??= new X509(),v), + "FileX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.X509 ??= new X509(),v), + "file.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.X509 ??= new X509(),v), + "FileX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.X509 ??= new X509(),v), + "file.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.X509 ??= new X509(),v), + "FileX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.X509 ??= new X509(),v), + "file.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.X509 ??= new X509(),v), + "FileX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.X509 ??= new X509(),v), + "file.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "file.elf.architecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ??= new Elf(),v), + "FileElfArchitecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ??= new Elf(),v), + "file.elf.byte_order" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ??= new Elf(),v), + "FileElfByteOrder" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ??= new Elf(),v), + "file.elf.cpu_type" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ??= new Elf(),v), + "FileElfCpuType" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ??= new Elf(),v), + "file.elf.creation_date" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ??= new Elf(),v), + "FileElfCreationDate" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ??= new Elf(),v), + "file.elf.go_import_hash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ??= new Elf(),v), + "FileElfGoImportHash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ??= new Elf(),v), + "file.elf.go_imports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ??= new Elf(),v), + "FileElfGoImports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ??= new Elf(),v), + "file.elf.go_imports_names_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ??= new Elf(),v), + "FileElfGoImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ??= new Elf(),v), + "file.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "FileElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "file.elf.go_stripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ??= new Elf(),v), + "FileElfGoStripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ??= new Elf(),v), + "file.elf.header.abi_version" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ??= new Elf(),v), + "FileElfHeaderAbiVersion" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ??= new Elf(),v), + "file.elf.header.class" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ??= new Elf(),v), + "FileElfHeaderClass" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ??= new Elf(),v), + "file.elf.header.data" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ??= new Elf(),v), + "FileElfHeaderData" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ??= new Elf(),v), + "file.elf.header.entrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ??= new Elf(),v), + "FileElfHeaderEntrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ??= new Elf(),v), + "file.elf.header.object_version" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ??= new Elf(),v), + "FileElfHeaderObjectVersion" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ??= new Elf(),v), + "file.elf.header.os_abi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ??= new Elf(),v), + "FileElfHeaderOsAbi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ??= new Elf(),v), + "file.elf.header.type" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ??= new Elf(),v), + "FileElfHeaderType" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ??= new Elf(),v), + "file.elf.header.version" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ??= new Elf(),v), + "FileElfHeaderVersion" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ??= new Elf(),v), + "file.elf.import_hash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ??= new Elf(),v), + "FileElfImportHash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ??= new Elf(),v), + "file.elf.imports_names_entropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ??= new Elf(),v), + "FileElfImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ??= new Elf(),v), + "file.elf.imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "FileElfImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "file.elf.telfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ??= new Elf(),v), + "FileElfTelfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ??= new Elf(),v), + "file.macho.go_import_hash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ??= new Macho(),v), + "FileMachoGoImportHash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ??= new Macho(),v), + "file.macho.go_imports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ??= new Macho(),v), + "FileMachoGoImports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ??= new Macho(),v), + "file.macho.go_imports_names_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ??= new Macho(),v), + "FileMachoGoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ??= new Macho(),v), + "file.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "FileMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "file.macho.go_stripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ??= new Macho(),v), + "FileMachoGoStripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ??= new Macho(),v), + "file.macho.import_hash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ??= new Macho(),v), + "FileMachoImportHash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ??= new Macho(),v), + "file.macho.imports_names_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ??= new Macho(),v), + "FileMachoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ??= new Macho(),v), + "file.macho.imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "FileMachoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "file.macho.symhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ??= new Macho(),v), + "FileMachoSymhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ??= new Macho(),v), _ => null }; return assign; @@ -4165,6 +3913,8 @@ public static Func TryAssignGeo(string path) "GeoCountryIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), "geo.country_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), "GeoCountryName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), + "geo.location" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Location = p), + "GeoLocation" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Location = p), "geo.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "GeoName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "geo.postal_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), @@ -4284,52 +4034,54 @@ public static Func TryAssignHost(string path) "HostType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "host.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), "HostUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "host.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "HostGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "host.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "HostGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "host.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "HostGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "host.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "HostGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "host.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "HostGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "host.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "HostGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "host.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "HostGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "host.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "HostGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "host.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "HostGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "host.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "HostGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "host.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), - "HostOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), - "host.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), - "HostOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), - "host.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), - "HostOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), - "host.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), - "HostOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), - "host.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), - "HostOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), - "host.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), - "HostOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), - "host.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), - "HostOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), - "host.risk.calculated_level" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ?? new Risk(),v), - "HostRiskCalculatedLevel" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ?? new Risk(),v), - "host.risk.calculated_score" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ?? new Risk(),v), - "HostRiskCalculatedScore" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ?? new Risk(),v), - "host.risk.calculated_score_norm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ?? new Risk(),v), - "HostRiskCalculatedScoreNorm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ?? new Risk(),v), - "host.risk.static_level" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ?? new Risk(),v), - "HostRiskStaticLevel" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ?? new Risk(),v), - "host.risk.static_score" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ?? new Risk(),v), - "HostRiskStaticScore" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ?? new Risk(),v), - "host.risk.static_score_norm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ?? new Risk(),v), - "HostRiskStaticScoreNorm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ?? new Risk(),v), + "host.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "HostGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "host.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "HostGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "host.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "HostGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "host.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "HostGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "host.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "HostGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "host.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "HostGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "host.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "HostGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "host.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "HostGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "host.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "HostGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "host.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "HostGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "host.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "HostGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "host.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "HostOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "host.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "HostOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "host.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "HostOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "host.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "HostOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "host.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "HostOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "host.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "HostOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "host.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), + "HostOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), + "host.risk.calculated_level" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ??= new Risk(),v), + "HostRiskCalculatedLevel" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ??= new Risk(),v), + "host.risk.calculated_score" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ??= new Risk(),v), + "HostRiskCalculatedScore" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ??= new Risk(),v), + "host.risk.calculated_score_norm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ??= new Risk(),v), + "HostRiskCalculatedScoreNorm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ??= new Risk(),v), + "host.risk.static_level" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ??= new Risk(),v), + "HostRiskStaticLevel" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ??= new Risk(),v), + "host.risk.static_score" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ??= new Risk(),v), + "HostRiskStaticScore" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ??= new Risk(),v), + "host.risk.static_score_norm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ??= new Risk(),v), + "HostRiskStaticScoreNorm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ??= new Risk(),v), _ => null }; return assign; @@ -4509,10 +4261,10 @@ public static Func TryAssignNetwork(string path) "NetworkTransport" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Transport = p), "network.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "NetworkType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "network.vlan.id" => static (e, v) => TryAssignVlan("vlan.id")(e.Vlan ?? new Vlan(),v), - "NetworkVlanId" => static (e, v) => TryAssignVlan("vlan.id")(e.Vlan ?? new Vlan(),v), - "network.vlan.name" => static (e, v) => TryAssignVlan("vlan.name")(e.Vlan ?? new Vlan(),v), - "NetworkVlanName" => static (e, v) => TryAssignVlan("vlan.name")(e.Vlan ?? new Vlan(),v), + "network.vlan.id" => static (e, v) => TryAssignVlan("vlan.id")(e.Vlan ??= new Vlan(),v), + "NetworkVlanId" => static (e, v) => TryAssignVlan("vlan.id")(e.Vlan ??= new Vlan(),v), + "network.vlan.name" => static (e, v) => TryAssignVlan("vlan.name")(e.Vlan ??= new Vlan(),v), + "NetworkVlanName" => static (e, v) => TryAssignVlan("vlan.name")(e.Vlan ??= new Vlan(),v), _ => null }; return assign; @@ -4546,40 +4298,42 @@ public static Func TryAssignObserver(string path) "ObserverVendor" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Vendor = p), "observer.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "ObserverVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "observer.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "ObserverGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "observer.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "ObserverGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "observer.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "ObserverGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "observer.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "ObserverGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "observer.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "ObserverGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "observer.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "ObserverGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "observer.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "ObserverGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "observer.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "ObserverGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "observer.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "ObserverGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "observer.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "ObserverGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "observer.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), - "ObserverOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), - "observer.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), - "ObserverOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), - "observer.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), - "ObserverOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), - "observer.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), - "ObserverOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), - "observer.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), - "ObserverOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), - "observer.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), - "ObserverOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), - "observer.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), - "ObserverOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), + "observer.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "ObserverGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "observer.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "ObserverGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "observer.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "ObserverGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "observer.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "ObserverGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "observer.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "ObserverGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "observer.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "ObserverGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "observer.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "ObserverGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "observer.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "ObserverGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "observer.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "ObserverGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "observer.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "ObserverGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "observer.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "ObserverGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "observer.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "ObserverOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "observer.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "ObserverOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "observer.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "ObserverOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "observer.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "ObserverOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "observer.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "ObserverOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "observer.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "ObserverOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "observer.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), + "ObserverOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), _ => null }; return assign; @@ -4828,472 +4582,348 @@ public static Func TryAssignProcess(string path) "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "process.group.domain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ?? new Group(),v), - "ProcessGroupDomain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ?? new Group(),v), - "process.group.id" => static (e, v) => TryAssignGroup("group.id")(e.Group ?? new Group(),v), - "ProcessGroupId" => static (e, v) => TryAssignGroup("group.id")(e.Group ?? new Group(),v), - "process.group.name" => static (e, v) => TryAssignGroup("group.name")(e.Group ?? new Group(),v), - "ProcessGroupName" => static (e, v) => TryAssignGroup("group.name")(e.Group ?? new Group(),v), - "process.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), - "ProcessHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ?? new Hash(),v), - "process.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), - "ProcessHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ?? new Hash(),v), - "process.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), - "ProcessHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ?? new Hash(),v), - "process.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), - "ProcessHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ?? new Hash(),v), - "process.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), - "ProcessHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ?? new Hash(),v), - "process.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), - "ProcessHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ?? new Hash(),v), - "process.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), - "ProcessHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ?? new Hash(),v), - "process.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), - "ProcessPeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ?? new Pe(),v), - "process.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), - "ProcessPeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ?? new Pe(),v), - "process.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), - "ProcessPeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ?? new Pe(),v), - "process.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), - "ProcessPeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ?? new Pe(),v), - "process.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), - "ProcessPeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ?? new Pe(),v), - "process.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), - "ProcessPeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ?? new Pe(),v), - "process.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), - "ProcessPeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ?? new Pe(),v), - "process.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "ProcessPeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "process.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), - "ProcessPeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ?? new Pe(),v), - "process.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), - "ProcessPeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ?? new Pe(),v), - "process.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), - "ProcessPeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ?? new Pe(),v), - "process.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), - "ProcessPeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ?? new Pe(),v), - "process.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "ProcessPeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ?? new Pe(),v), - "process.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), - "ProcessPeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ?? new Pe(),v), - "process.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), - "ProcessPePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ?? new Pe(),v), - "process.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), - "ProcessPeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ?? new Pe(),v), - "process.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), - "ProcessCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ?? new CodeSignature(),v), - "process.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), - "ProcessCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ?? new CodeSignature(),v), - "process.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), - "ProcessCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ?? new CodeSignature(),v), - "process.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), - "ProcessCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ?? new CodeSignature(),v), - "process.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), - "ProcessCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ?? new CodeSignature(),v), - "process.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), - "ProcessCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ?? new CodeSignature(),v), - "process.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), - "ProcessCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ?? new CodeSignature(),v), - "process.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), - "ProcessCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ?? new CodeSignature(),v), - "process.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), - "ProcessCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ?? new CodeSignature(),v), - "process.elf.architecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ?? new Elf(),v), - "ProcessElfArchitecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ?? new Elf(),v), - "process.elf.byte_order" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ?? new Elf(),v), - "ProcessElfByteOrder" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ?? new Elf(),v), - "process.elf.cpu_type" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ?? new Elf(),v), - "ProcessElfCpuType" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ?? new Elf(),v), - "process.elf.creation_date" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ?? new Elf(),v), - "ProcessElfCreationDate" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ?? new Elf(),v), - "process.elf.go_import_hash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ?? new Elf(),v), - "ProcessElfGoImportHash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ?? new Elf(),v), - "process.elf.go_imports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ?? new Elf(),v), - "ProcessElfGoImports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ?? new Elf(),v), - "process.elf.go_imports_names_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ?? new Elf(),v), - "ProcessElfGoImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ?? new Elf(),v), - "process.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ?? new Elf(),v), - "ProcessElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ?? new Elf(),v), - "process.elf.go_stripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ?? new Elf(),v), - "ProcessElfGoStripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ?? new Elf(),v), - "process.elf.header.abi_version" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ?? new Elf(),v), - "ProcessElfHeaderAbiVersion" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ?? new Elf(),v), - "process.elf.header.class" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ?? new Elf(),v), - "ProcessElfHeaderClass" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ?? new Elf(),v), - "process.elf.header.data" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ?? new Elf(),v), - "ProcessElfHeaderData" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ?? new Elf(),v), - "process.elf.header.entrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ?? new Elf(),v), - "ProcessElfHeaderEntrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ?? new Elf(),v), - "process.elf.header.object_version" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ?? new Elf(),v), - "ProcessElfHeaderObjectVersion" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ?? new Elf(),v), - "process.elf.header.os_abi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ?? new Elf(),v), - "ProcessElfHeaderOsAbi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ?? new Elf(),v), - "process.elf.header.type" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ?? new Elf(),v), - "ProcessElfHeaderType" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ?? new Elf(),v), - "process.elf.header.version" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ?? new Elf(),v), - "ProcessElfHeaderVersion" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ?? new Elf(),v), - "process.elf.import_hash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ?? new Elf(),v), - "ProcessElfImportHash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ?? new Elf(),v), - "process.elf.imports_names_entropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ?? new Elf(),v), - "ProcessElfImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ?? new Elf(),v), - "process.elf.imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ?? new Elf(),v), - "ProcessElfImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ?? new Elf(),v), - "process.elf.telfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ?? new Elf(),v), - "ProcessElfTelfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ?? new Elf(),v), - "process.macho.go_import_hash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ?? new Macho(),v), - "ProcessMachoGoImportHash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ?? new Macho(),v), - "process.macho.go_imports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ?? new Macho(),v), - "ProcessMachoGoImports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ?? new Macho(),v), - "process.macho.go_imports_names_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ?? new Macho(),v), - "ProcessMachoGoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ?? new Macho(),v), - "process.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ?? new Macho(),v), - "ProcessMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ?? new Macho(),v), - "process.macho.go_stripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ?? new Macho(),v), - "ProcessMachoGoStripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ?? new Macho(),v), - "process.macho.import_hash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ?? new Macho(),v), - "ProcessMachoImportHash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ?? new Macho(),v), - "process.macho.imports_names_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ?? new Macho(),v), - "ProcessMachoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ?? new Macho(),v), - "process.macho.imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ?? new Macho(),v), - "ProcessMachoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ?? new Macho(),v), - "process.macho.symhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ?? new Macho(),v), - "ProcessMachoSymhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ?? new Macho(),v), - "process.entry_meta.source.address" => static (e, v) => TryAssignSource("source.address")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceAddress" => static (e, v) => TryAssignSource("source.address")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.bytes" => static (e, v) => TryAssignSource("source.bytes")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceBytes" => static (e, v) => TryAssignSource("source.bytes")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.domain" => static (e, v) => TryAssignSource("source.domain")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceDomain" => static (e, v) => TryAssignSource("source.domain")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.ip" => static (e, v) => TryAssignSource("source.ip")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceIp" => static (e, v) => TryAssignSource("source.ip")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.mac" => static (e, v) => TryAssignSource("source.mac")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceMac" => static (e, v) => TryAssignSource("source.mac")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.nat.ip" => static (e, v) => TryAssignSource("source.nat.ip")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceNatIp" => static (e, v) => TryAssignSource("source.nat.ip")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.nat.port" => static (e, v) => TryAssignSource("source.nat.port")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceNatPort" => static (e, v) => TryAssignSource("source.nat.port")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.packets" => static (e, v) => TryAssignSource("source.packets")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourcePackets" => static (e, v) => TryAssignSource("source.packets")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.port" => static (e, v) => TryAssignSource("source.port")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourcePort" => static (e, v) => TryAssignSource("source.port")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.registered_domain" => static (e, v) => TryAssignSource("source.registered_domain")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceRegisteredDomain" => static (e, v) => TryAssignSource("source.registered_domain")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.subdomain" => static (e, v) => TryAssignSource("source.subdomain")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceSubdomain" => static (e, v) => TryAssignSource("source.subdomain")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.top_level_domain" => static (e, v) => TryAssignSource("source.top_level_domain")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceTopLevelDomain" => static (e, v) => TryAssignSource("source.top_level_domain")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.as.number" => static (e, v) => TryAssignSource("source.as.number")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceAsNumber" => static (e, v) => TryAssignSource("source.as.number")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.as.organization.name" => static (e, v) => TryAssignSource("source.as.organization.name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceAsOrganizationName" => static (e, v) => TryAssignSource("source.as.organization.name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.city_name" => static (e, v) => TryAssignSource("source.geo.city_name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoCityName" => static (e, v) => TryAssignSource("source.geo.city_name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.continent_code" => static (e, v) => TryAssignSource("source.geo.continent_code")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoContinentCode" => static (e, v) => TryAssignSource("source.geo.continent_code")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.continent_name" => static (e, v) => TryAssignSource("source.geo.continent_name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoContinentName" => static (e, v) => TryAssignSource("source.geo.continent_name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.country_iso_code" => static (e, v) => TryAssignSource("source.geo.country_iso_code")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoCountryIsoCode" => static (e, v) => TryAssignSource("source.geo.country_iso_code")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.country_name" => static (e, v) => TryAssignSource("source.geo.country_name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoCountryName" => static (e, v) => TryAssignSource("source.geo.country_name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.name" => static (e, v) => TryAssignSource("source.geo.name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoName" => static (e, v) => TryAssignSource("source.geo.name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.postal_code" => static (e, v) => TryAssignSource("source.geo.postal_code")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoPostalCode" => static (e, v) => TryAssignSource("source.geo.postal_code")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.region_iso_code" => static (e, v) => TryAssignSource("source.geo.region_iso_code")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoRegionIsoCode" => static (e, v) => TryAssignSource("source.geo.region_iso_code")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.region_name" => static (e, v) => TryAssignSource("source.geo.region_name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoRegionName" => static (e, v) => TryAssignSource("source.geo.region_name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.geo.timezone" => static (e, v) => TryAssignSource("source.geo.timezone")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceGeoTimezone" => static (e, v) => TryAssignSource("source.geo.timezone")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.domain" => static (e, v) => TryAssignSource("source.user.domain")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserDomain" => static (e, v) => TryAssignSource("source.user.domain")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.email" => static (e, v) => TryAssignSource("source.user.email")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserEmail" => static (e, v) => TryAssignSource("source.user.email")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.full_name" => static (e, v) => TryAssignSource("source.user.full_name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserFullName" => static (e, v) => TryAssignSource("source.user.full_name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.hash" => static (e, v) => TryAssignSource("source.user.hash")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserHash" => static (e, v) => TryAssignSource("source.user.hash")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.id" => static (e, v) => TryAssignSource("source.user.id")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserId" => static (e, v) => TryAssignSource("source.user.id")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.name" => static (e, v) => TryAssignSource("source.user.name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserName" => static (e, v) => TryAssignSource("source.user.name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.group.domain" => static (e, v) => TryAssignSource("source.user.group.domain")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserGroupDomain" => static (e, v) => TryAssignSource("source.user.group.domain")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.group.id" => static (e, v) => TryAssignSource("source.user.group.id")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserGroupId" => static (e, v) => TryAssignSource("source.user.group.id")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.group.name" => static (e, v) => TryAssignSource("source.user.group.name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserGroupName" => static (e, v) => TryAssignSource("source.user.group.name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.risk.calculated_level" => static (e, v) => TryAssignSource("source.user.risk.calculated_level")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserRiskCalculatedLevel" => static (e, v) => TryAssignSource("source.user.risk.calculated_level")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.risk.calculated_score" => static (e, v) => TryAssignSource("source.user.risk.calculated_score")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserRiskCalculatedScore" => static (e, v) => TryAssignSource("source.user.risk.calculated_score")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.risk.calculated_score_norm" => static (e, v) => TryAssignSource("source.user.risk.calculated_score_norm")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignSource("source.user.risk.calculated_score_norm")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.risk.static_level" => static (e, v) => TryAssignSource("source.user.risk.static_level")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserRiskStaticLevel" => static (e, v) => TryAssignSource("source.user.risk.static_level")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.risk.static_score" => static (e, v) => TryAssignSource("source.user.risk.static_score")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserRiskStaticScore" => static (e, v) => TryAssignSource("source.user.risk.static_score")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.risk.static_score_norm" => static (e, v) => TryAssignSource("source.user.risk.static_score_norm")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserRiskStaticScoreNorm" => static (e, v) => TryAssignSource("source.user.risk.static_score_norm")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.target.user.domain" => static (e, v) => TryAssignSource("source.user.target.user.domain")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserTargetUserDomain" => static (e, v) => TryAssignSource("source.user.target.user.domain")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.target.user.email" => static (e, v) => TryAssignSource("source.user.target.user.email")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserTargetUserEmail" => static (e, v) => TryAssignSource("source.user.target.user.email")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.target.user.full_name" => static (e, v) => TryAssignSource("source.user.target.user.full_name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserTargetUserFullName" => static (e, v) => TryAssignSource("source.user.target.user.full_name")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.target.user.hash" => static (e, v) => TryAssignSource("source.user.target.user.hash")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserTargetUserHash" => static (e, v) => TryAssignSource("source.user.target.user.hash")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.target.user.id" => static (e, v) => TryAssignSource("source.user.target.user.id")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserTargetUserId" => static (e, v) => TryAssignSource("source.user.target.user.id")(e.EntryMetaSource ?? new Source(),v), - "process.entry_meta.source.user.target.user.name" => static (e, v) => TryAssignSource("source.user.target.user.name")(e.EntryMetaSource ?? new Source(),v), - "ProcessEntryMetaSourceUserTargetUserName" => static (e, v) => TryAssignSource("source.user.target.user.name")(e.EntryMetaSource ?? new Source(),v), - "process.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "ProcessUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "process.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "ProcessUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "process.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "ProcessUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "process.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "ProcessUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "process.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "ProcessUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "process.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "ProcessUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "process.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "ProcessUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "process.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "ProcessUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "process.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "ProcessUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "process.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "ProcessUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "process.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "ProcessUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "process.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "ProcessUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "process.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "ProcessUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "process.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "ProcessUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "process.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "ProcessUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "process.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "ProcessUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "process.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "ProcessUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "process.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "ProcessUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "process.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "ProcessUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "process.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "ProcessUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "process.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), - "ProcessUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), - "parent.process.args_count" => static (e, v) => TryAssignProcessParent("process.args_count")(e.Parent ?? new ProcessParent(),v), - "ParentProcessArgsCount" => static (e, v) => TryAssignProcessParent("process.args_count")(e.Parent ?? new ProcessParent(),v), - "parent.process.command_line" => static (e, v) => TryAssignProcessParent("process.command_line")(e.Parent ?? new ProcessParent(),v), - "ParentProcessCommandLine" => static (e, v) => TryAssignProcessParent("process.command_line")(e.Parent ?? new ProcessParent(),v), - "parent.process.end" => static (e, v) => TryAssignProcessParent("process.end")(e.Parent ?? new ProcessParent(),v), - "ParentProcessEnd" => static (e, v) => TryAssignProcessParent("process.end")(e.Parent ?? new ProcessParent(),v), - "parent.process.entity_id" => static (e, v) => TryAssignProcessParent("process.entity_id")(e.Parent ?? new ProcessParent(),v), - "ParentProcessEntityId" => static (e, v) => TryAssignProcessParent("process.entity_id")(e.Parent ?? new ProcessParent(),v), - "parent.process.executable" => static (e, v) => TryAssignProcessParent("process.executable")(e.Parent ?? new ProcessParent(),v), - "ParentProcessExecutable" => static (e, v) => TryAssignProcessParent("process.executable")(e.Parent ?? new ProcessParent(),v), - "parent.process.exit_code" => static (e, v) => TryAssignProcessParent("process.exit_code")(e.Parent ?? new ProcessParent(),v), - "ParentProcessExitCode" => static (e, v) => TryAssignProcessParent("process.exit_code")(e.Parent ?? new ProcessParent(),v), - "parent.process.interactive" => static (e, v) => TryAssignProcessParent("process.interactive")(e.Parent ?? new ProcessParent(),v), - "ParentProcessInteractive" => static (e, v) => TryAssignProcessParent("process.interactive")(e.Parent ?? new ProcessParent(),v), - "parent.process.name" => static (e, v) => TryAssignProcessParent("process.name")(e.Parent ?? new ProcessParent(),v), - "ParentProcessName" => static (e, v) => TryAssignProcessParent("process.name")(e.Parent ?? new ProcessParent(),v), - "parent.process.pgid" => static (e, v) => TryAssignProcessParent("process.pgid")(e.Parent ?? new ProcessParent(),v), - "ParentProcessPgid" => static (e, v) => TryAssignProcessParent("process.pgid")(e.Parent ?? new ProcessParent(),v), - "parent.process.pid" => static (e, v) => TryAssignProcessParent("process.pid")(e.Parent ?? new ProcessParent(),v), - "ParentProcessPid" => static (e, v) => TryAssignProcessParent("process.pid")(e.Parent ?? new ProcessParent(),v), - "parent.process.start" => static (e, v) => TryAssignProcessParent("process.start")(e.Parent ?? new ProcessParent(),v), - "ParentProcessStart" => static (e, v) => TryAssignProcessParent("process.start")(e.Parent ?? new ProcessParent(),v), - "parent.process.thread.id" => static (e, v) => TryAssignProcessParent("process.thread.id")(e.Parent ?? new ProcessParent(),v), - "ParentProcessThreadId" => static (e, v) => TryAssignProcessParent("process.thread.id")(e.Parent ?? new ProcessParent(),v), - "parent.process.thread.name" => static (e, v) => TryAssignProcessParent("process.thread.name")(e.Parent ?? new ProcessParent(),v), - "ParentProcessThreadName" => static (e, v) => TryAssignProcessParent("process.thread.name")(e.Parent ?? new ProcessParent(),v), - "parent.process.title" => static (e, v) => TryAssignProcessParent("process.title")(e.Parent ?? new ProcessParent(),v), - "ParentProcessTitle" => static (e, v) => TryAssignProcessParent("process.title")(e.Parent ?? new ProcessParent(),v), - "parent.process.uptime" => static (e, v) => TryAssignProcessParent("process.uptime")(e.Parent ?? new ProcessParent(),v), - "ParentProcessUptime" => static (e, v) => TryAssignProcessParent("process.uptime")(e.Parent ?? new ProcessParent(),v), - "parent.process.vpid" => static (e, v) => TryAssignProcessParent("process.vpid")(e.Parent ?? new ProcessParent(),v), - "ParentProcessVpid" => static (e, v) => TryAssignProcessParent("process.vpid")(e.Parent ?? new ProcessParent(),v), - "parent.process.working_directory" => static (e, v) => TryAssignProcessParent("process.working_directory")(e.Parent ?? new ProcessParent(),v), - "ParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessParent("process.working_directory")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.args_count" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.args_count")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessArgsCount" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.args_count")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.command_line" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.command_line")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessCommandLine" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.command_line")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.end" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.end")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessEnd" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.end")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.entity_id" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.entity_id")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessEntityId" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.entity_id")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.executable" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.executable")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessExecutable" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.executable")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.exit_code" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.exit_code")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessExitCode" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.exit_code")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.interactive" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.interactive")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessInteractive" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.interactive")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.name" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.name")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessName" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.name")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.pgid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.pgid")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessPgid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.pgid")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.pid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.pid")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessPid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.pid")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.start" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.start")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessStart" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.start")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.thread.id" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.thread.id")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessThreadId" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.thread.id")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.thread.name" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.thread.name")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessThreadName" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.thread.name")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.title" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.title")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessTitle" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.title")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.uptime" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.uptime")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessUptime" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.uptime")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.vpid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.vpid")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessVpid" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.vpid")(e.Parent ?? new ProcessParent(),v), - "process.parent.group_leader.process.working_directory" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.working_directory")(e.Parent ?? new ProcessParent(),v), - "ProcessParentGroupLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessParent("parent.group_leader.process.working_directory")(e.Parent ?? new ProcessParent(),v), - "process.entry_leader.parent.process.args_count" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.args_count")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.args_count")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.command_line" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.command_line")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.command_line")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.end" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.end")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessEnd" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.end")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.entity_id" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.entity_id")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessEntityId" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.entity_id")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.executable" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.executable")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessExecutable" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.executable")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.exit_code" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.exit_code")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessExitCode" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.exit_code")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.interactive" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.interactive")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessInteractive" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.interactive")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.name" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessName" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.pgid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.pgid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessPgid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.pgid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.pid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.pid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessPid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.pid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.start" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.start")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessStart" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.start")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.thread.id" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.thread.id")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessThreadId" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.thread.id")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.thread.name" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.thread.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessThreadName" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.thread.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.title" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.title")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessTitle" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.title")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.uptime" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.uptime")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessUptime" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.uptime")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.vpid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.vpid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessVpid" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.vpid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.entry_leader.parent.process.working_directory" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.working_directory")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "ProcessEntryLeaderParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeader("entry_leader.parent.process.working_directory")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.args_count")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.args_count")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.command_line")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.command_line")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.end")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.end")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.entity_id")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.entity_id")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.executable")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.executable")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.exit_code")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.exit_code")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.interactive")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.interactive")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.pgid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.pgid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.pid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.pid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.start")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.start")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.thread.id")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.thread.id")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.thread.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.thread.name")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.title")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.title")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.uptime")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.uptime")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.vpid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.vpid")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "entry_leader.process.parent.entry_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.working_directory")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "EntryLeaderProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeader("process.parent.entry_leader.parent.session_leader.process.working_directory")(e.EntryLeader ?? new ProcessEntryLeader(),v), - "process.session_leader.parent.process.args_count" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.args_count")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.args_count")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.command_line" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.command_line")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.command_line")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.end" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.end")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessEnd" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.end")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.entity_id" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.entity_id")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessEntityId" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.entity_id")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.executable" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.executable")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessExecutable" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.executable")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.exit_code" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.exit_code")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessExitCode" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.exit_code")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.interactive" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.interactive")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessInteractive" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.interactive")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.name" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessName" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.pgid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.pgid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessPgid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.pgid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.pid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.pid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessPid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.pid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.start" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.start")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessStart" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.start")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.thread.id" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.thread.id")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessThreadId" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.thread.id")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.thread.name" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.thread.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessThreadName" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.thread.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.title" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.title")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessTitle" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.title")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.uptime" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.uptime")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessUptime" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.uptime")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.vpid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.vpid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessVpid" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.vpid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "process.session_leader.parent.process.working_directory" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.working_directory")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "ProcessSessionLeaderParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeader("session_leader.parent.process.working_directory")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.args_count")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.args_count")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.command_line")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.command_line")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.end")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.end")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.entity_id")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.entity_id")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.executable")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.executable")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.exit_code")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.exit_code")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.interactive")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.interactive")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.pgid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.pgid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.pid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.pid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.start")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.start")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.thread.id")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.thread.id")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.thread.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.thread.name")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.title")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.title")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.uptime")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.uptime")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.vpid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.vpid")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "session_leader.process.parent.session_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.working_directory")(e.SessionLeader ?? new ProcessSessionLeader(),v), - "SessionLeaderProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeader("process.parent.session_leader.parent.session_leader.process.working_directory")(e.SessionLeader ?? new ProcessSessionLeader(),v), + "process.group.domain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ??= new Group(),v), + "ProcessGroupDomain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ??= new Group(),v), + "process.group.id" => static (e, v) => TryAssignGroup("group.id")(e.Group ??= new Group(),v), + "ProcessGroupId" => static (e, v) => TryAssignGroup("group.id")(e.Group ??= new Group(),v), + "process.group.name" => static (e, v) => TryAssignGroup("group.name")(e.Group ??= new Group(),v), + "ProcessGroupName" => static (e, v) => TryAssignGroup("group.name")(e.Group ??= new Group(),v), + "process.real_group.domain" => static (e, v) => TryAssignGroup("real_group.domain")(e.RealGroup ??= new Group(),v), + "ProcessRealGroupDomain" => static (e, v) => TryAssignGroup("real_group.domain")(e.RealGroup ??= new Group(),v), + "process.real_group.id" => static (e, v) => TryAssignGroup("real_group.id")(e.RealGroup ??= new Group(),v), + "ProcessRealGroupId" => static (e, v) => TryAssignGroup("real_group.id")(e.RealGroup ??= new Group(),v), + "process.real_group.name" => static (e, v) => TryAssignGroup("real_group.name")(e.RealGroup ??= new Group(),v), + "ProcessRealGroupName" => static (e, v) => TryAssignGroup("real_group.name")(e.RealGroup ??= new Group(),v), + "process.saved_group.domain" => static (e, v) => TryAssignGroup("saved_group.domain")(e.SavedGroup ??= new Group(),v), + "ProcessSavedGroupDomain" => static (e, v) => TryAssignGroup("saved_group.domain")(e.SavedGroup ??= new Group(),v), + "process.saved_group.id" => static (e, v) => TryAssignGroup("saved_group.id")(e.SavedGroup ??= new Group(),v), + "ProcessSavedGroupId" => static (e, v) => TryAssignGroup("saved_group.id")(e.SavedGroup ??= new Group(),v), + "process.saved_group.name" => static (e, v) => TryAssignGroup("saved_group.name")(e.SavedGroup ??= new Group(),v), + "ProcessSavedGroupName" => static (e, v) => TryAssignGroup("saved_group.name")(e.SavedGroup ??= new Group(),v), + "process.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "ProcessHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "process.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "ProcessHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "process.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "ProcessHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "process.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "ProcessHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "process.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "ProcessHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "process.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "ProcessHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "process.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "ProcessHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "process.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "ProcessPeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "process.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "ProcessPeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "process.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "ProcessPeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "process.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "ProcessPeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "process.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "ProcessPeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "process.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "ProcessPeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "process.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "ProcessPeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "process.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "ProcessPeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "process.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "ProcessPeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "process.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "ProcessPeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "process.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "ProcessPeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "process.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "ProcessPeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "process.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "ProcessPeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "process.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "ProcessPeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "process.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "ProcessPePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "process.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "ProcessPeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "process.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "process.elf.architecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ??= new Elf(),v), + "ProcessElfArchitecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ??= new Elf(),v), + "process.elf.byte_order" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ??= new Elf(),v), + "ProcessElfByteOrder" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ??= new Elf(),v), + "process.elf.cpu_type" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ??= new Elf(),v), + "ProcessElfCpuType" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ??= new Elf(),v), + "process.elf.creation_date" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ??= new Elf(),v), + "ProcessElfCreationDate" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ??= new Elf(),v), + "process.elf.go_import_hash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ??= new Elf(),v), + "ProcessElfGoImportHash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ??= new Elf(),v), + "process.elf.go_imports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ??= new Elf(),v), + "ProcessElfGoImports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ??= new Elf(),v), + "process.elf.go_imports_names_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ??= new Elf(),v), + "ProcessElfGoImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ??= new Elf(),v), + "process.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "ProcessElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "process.elf.go_stripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ??= new Elf(),v), + "ProcessElfGoStripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ??= new Elf(),v), + "process.elf.header.abi_version" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderAbiVersion" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ??= new Elf(),v), + "process.elf.header.class" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderClass" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ??= new Elf(),v), + "process.elf.header.data" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderData" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ??= new Elf(),v), + "process.elf.header.entrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderEntrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ??= new Elf(),v), + "process.elf.header.object_version" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderObjectVersion" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ??= new Elf(),v), + "process.elf.header.os_abi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderOsAbi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ??= new Elf(),v), + "process.elf.header.type" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderType" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ??= new Elf(),v), + "process.elf.header.version" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderVersion" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ??= new Elf(),v), + "process.elf.import_hash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ??= new Elf(),v), + "ProcessElfImportHash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ??= new Elf(),v), + "process.elf.imports_names_entropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ??= new Elf(),v), + "ProcessElfImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ??= new Elf(),v), + "process.elf.imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "ProcessElfImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "process.elf.telfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ??= new Elf(),v), + "ProcessElfTelfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ??= new Elf(),v), + "process.macho.go_import_hash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ??= new Macho(),v), + "ProcessMachoGoImportHash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ??= new Macho(),v), + "process.macho.go_imports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ??= new Macho(),v), + "ProcessMachoGoImports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ??= new Macho(),v), + "process.macho.go_imports_names_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ??= new Macho(),v), + "ProcessMachoGoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ??= new Macho(),v), + "process.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "ProcessMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "process.macho.go_stripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ??= new Macho(),v), + "ProcessMachoGoStripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ??= new Macho(),v), + "process.macho.import_hash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ??= new Macho(),v), + "ProcessMachoImportHash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ??= new Macho(),v), + "process.macho.imports_names_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ??= new Macho(),v), + "ProcessMachoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ??= new Macho(),v), + "process.macho.imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "ProcessMachoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "process.macho.symhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ??= new Macho(),v), + "ProcessMachoSymhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ??= new Macho(),v), + "process.entry_meta.source.address" => static (e, v) => TryAssignSource("source.address")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceAddress" => static (e, v) => TryAssignSource("source.address")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.bytes" => static (e, v) => TryAssignSource("source.bytes")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceBytes" => static (e, v) => TryAssignSource("source.bytes")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.domain" => static (e, v) => TryAssignSource("source.domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceDomain" => static (e, v) => TryAssignSource("source.domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.ip" => static (e, v) => TryAssignSource("source.ip")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceIp" => static (e, v) => TryAssignSource("source.ip")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.mac" => static (e, v) => TryAssignSource("source.mac")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceMac" => static (e, v) => TryAssignSource("source.mac")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.nat.ip" => static (e, v) => TryAssignSource("source.nat.ip")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceNatIp" => static (e, v) => TryAssignSource("source.nat.ip")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.nat.port" => static (e, v) => TryAssignSource("source.nat.port")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceNatPort" => static (e, v) => TryAssignSource("source.nat.port")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.packets" => static (e, v) => TryAssignSource("source.packets")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourcePackets" => static (e, v) => TryAssignSource("source.packets")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.port" => static (e, v) => TryAssignSource("source.port")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourcePort" => static (e, v) => TryAssignSource("source.port")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.registered_domain" => static (e, v) => TryAssignSource("source.registered_domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceRegisteredDomain" => static (e, v) => TryAssignSource("source.registered_domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.subdomain" => static (e, v) => TryAssignSource("source.subdomain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceSubdomain" => static (e, v) => TryAssignSource("source.subdomain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.top_level_domain" => static (e, v) => TryAssignSource("source.top_level_domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceTopLevelDomain" => static (e, v) => TryAssignSource("source.top_level_domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.as.number" => static (e, v) => TryAssignSource("source.as.number")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceAsNumber" => static (e, v) => TryAssignSource("source.as.number")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.as.organization.name" => static (e, v) => TryAssignSource("source.as.organization.name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceAsOrganizationName" => static (e, v) => TryAssignSource("source.as.organization.name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.city_name" => static (e, v) => TryAssignSource("source.geo.city_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoCityName" => static (e, v) => TryAssignSource("source.geo.city_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.continent_code" => static (e, v) => TryAssignSource("source.geo.continent_code")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoContinentCode" => static (e, v) => TryAssignSource("source.geo.continent_code")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.continent_name" => static (e, v) => TryAssignSource("source.geo.continent_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoContinentName" => static (e, v) => TryAssignSource("source.geo.continent_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.country_iso_code" => static (e, v) => TryAssignSource("source.geo.country_iso_code")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoCountryIsoCode" => static (e, v) => TryAssignSource("source.geo.country_iso_code")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.country_name" => static (e, v) => TryAssignSource("source.geo.country_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoCountryName" => static (e, v) => TryAssignSource("source.geo.country_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.location" => static (e, v) => TryAssignSource("source.geo.location")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoLocation" => static (e, v) => TryAssignSource("source.geo.location")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.name" => static (e, v) => TryAssignSource("source.geo.name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoName" => static (e, v) => TryAssignSource("source.geo.name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.postal_code" => static (e, v) => TryAssignSource("source.geo.postal_code")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoPostalCode" => static (e, v) => TryAssignSource("source.geo.postal_code")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.region_iso_code" => static (e, v) => TryAssignSource("source.geo.region_iso_code")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoRegionIsoCode" => static (e, v) => TryAssignSource("source.geo.region_iso_code")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.region_name" => static (e, v) => TryAssignSource("source.geo.region_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoRegionName" => static (e, v) => TryAssignSource("source.geo.region_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.timezone" => static (e, v) => TryAssignSource("source.geo.timezone")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoTimezone" => static (e, v) => TryAssignSource("source.geo.timezone")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.domain" => static (e, v) => TryAssignSource("source.user.domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserDomain" => static (e, v) => TryAssignSource("source.user.domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.email" => static (e, v) => TryAssignSource("source.user.email")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserEmail" => static (e, v) => TryAssignSource("source.user.email")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.full_name" => static (e, v) => TryAssignSource("source.user.full_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserFullName" => static (e, v) => TryAssignSource("source.user.full_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.hash" => static (e, v) => TryAssignSource("source.user.hash")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserHash" => static (e, v) => TryAssignSource("source.user.hash")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.id" => static (e, v) => TryAssignSource("source.user.id")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserId" => static (e, v) => TryAssignSource("source.user.id")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.name" => static (e, v) => TryAssignSource("source.user.name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserName" => static (e, v) => TryAssignSource("source.user.name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.group.domain" => static (e, v) => TryAssignSource("source.user.group.domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserGroupDomain" => static (e, v) => TryAssignSource("source.user.group.domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.group.id" => static (e, v) => TryAssignSource("source.user.group.id")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserGroupId" => static (e, v) => TryAssignSource("source.user.group.id")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.group.name" => static (e, v) => TryAssignSource("source.user.group.name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserGroupName" => static (e, v) => TryAssignSource("source.user.group.name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.calculated_level" => static (e, v) => TryAssignSource("source.user.risk.calculated_level")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskCalculatedLevel" => static (e, v) => TryAssignSource("source.user.risk.calculated_level")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.calculated_score" => static (e, v) => TryAssignSource("source.user.risk.calculated_score")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskCalculatedScore" => static (e, v) => TryAssignSource("source.user.risk.calculated_score")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.calculated_score_norm" => static (e, v) => TryAssignSource("source.user.risk.calculated_score_norm")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignSource("source.user.risk.calculated_score_norm")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.static_level" => static (e, v) => TryAssignSource("source.user.risk.static_level")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskStaticLevel" => static (e, v) => TryAssignSource("source.user.risk.static_level")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.static_score" => static (e, v) => TryAssignSource("source.user.risk.static_score")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskStaticScore" => static (e, v) => TryAssignSource("source.user.risk.static_score")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.static_score_norm" => static (e, v) => TryAssignSource("source.user.risk.static_score_norm")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskStaticScoreNorm" => static (e, v) => TryAssignSource("source.user.risk.static_score_norm")(e.EntryMetaSource ??= new Source(),v), + "process.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "ProcessUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "process.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "ProcessUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "process.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "ProcessUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "process.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "ProcessUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "process.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "ProcessUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "process.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "ProcessUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "process.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "ProcessUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "process.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "ProcessUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "process.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "ProcessUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "process.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "ProcessUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "process.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "ProcessUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "process.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "ProcessUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "process.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "ProcessUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "process.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "ProcessUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "process.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "ProcessUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "process.saved_user.domain" => static (e, v) => TryAssignUser("saved_user.domain")(e.SavedUser ??= new User(),v), + "ProcessSavedUserDomain" => static (e, v) => TryAssignUser("saved_user.domain")(e.SavedUser ??= new User(),v), + "process.saved_user.email" => static (e, v) => TryAssignUser("saved_user.email")(e.SavedUser ??= new User(),v), + "ProcessSavedUserEmail" => static (e, v) => TryAssignUser("saved_user.email")(e.SavedUser ??= new User(),v), + "process.saved_user.full_name" => static (e, v) => TryAssignUser("saved_user.full_name")(e.SavedUser ??= new User(),v), + "ProcessSavedUserFullName" => static (e, v) => TryAssignUser("saved_user.full_name")(e.SavedUser ??= new User(),v), + "process.saved_user.hash" => static (e, v) => TryAssignUser("saved_user.hash")(e.SavedUser ??= new User(),v), + "ProcessSavedUserHash" => static (e, v) => TryAssignUser("saved_user.hash")(e.SavedUser ??= new User(),v), + "process.saved_user.id" => static (e, v) => TryAssignUser("saved_user.id")(e.SavedUser ??= new User(),v), + "ProcessSavedUserId" => static (e, v) => TryAssignUser("saved_user.id")(e.SavedUser ??= new User(),v), + "process.saved_user.name" => static (e, v) => TryAssignUser("saved_user.name")(e.SavedUser ??= new User(),v), + "ProcessSavedUserName" => static (e, v) => TryAssignUser("saved_user.name")(e.SavedUser ??= new User(),v), + "process.saved_user.group.domain" => static (e, v) => TryAssignUser("saved_user.group.domain")(e.SavedUser ??= new User(),v), + "ProcessSavedUserGroupDomain" => static (e, v) => TryAssignUser("saved_user.group.domain")(e.SavedUser ??= new User(),v), + "process.saved_user.group.id" => static (e, v) => TryAssignUser("saved_user.group.id")(e.SavedUser ??= new User(),v), + "ProcessSavedUserGroupId" => static (e, v) => TryAssignUser("saved_user.group.id")(e.SavedUser ??= new User(),v), + "process.saved_user.group.name" => static (e, v) => TryAssignUser("saved_user.group.name")(e.SavedUser ??= new User(),v), + "ProcessSavedUserGroupName" => static (e, v) => TryAssignUser("saved_user.group.name")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.calculated_level" => static (e, v) => TryAssignUser("saved_user.risk.calculated_level")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("saved_user.risk.calculated_level")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.calculated_score" => static (e, v) => TryAssignUser("saved_user.risk.calculated_score")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskCalculatedScore" => static (e, v) => TryAssignUser("saved_user.risk.calculated_score")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("saved_user.risk.calculated_score_norm")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("saved_user.risk.calculated_score_norm")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.static_level" => static (e, v) => TryAssignUser("saved_user.risk.static_level")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskStaticLevel" => static (e, v) => TryAssignUser("saved_user.risk.static_level")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.static_score" => static (e, v) => TryAssignUser("saved_user.risk.static_score")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskStaticScore" => static (e, v) => TryAssignUser("saved_user.risk.static_score")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.static_score_norm" => static (e, v) => TryAssignUser("saved_user.risk.static_score_norm")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("saved_user.risk.static_score_norm")(e.SavedUser ??= new User(),v), + "process.real_user.domain" => static (e, v) => TryAssignUser("real_user.domain")(e.RealUser ??= new User(),v), + "ProcessRealUserDomain" => static (e, v) => TryAssignUser("real_user.domain")(e.RealUser ??= new User(),v), + "process.real_user.email" => static (e, v) => TryAssignUser("real_user.email")(e.RealUser ??= new User(),v), + "ProcessRealUserEmail" => static (e, v) => TryAssignUser("real_user.email")(e.RealUser ??= new User(),v), + "process.real_user.full_name" => static (e, v) => TryAssignUser("real_user.full_name")(e.RealUser ??= new User(),v), + "ProcessRealUserFullName" => static (e, v) => TryAssignUser("real_user.full_name")(e.RealUser ??= new User(),v), + "process.real_user.hash" => static (e, v) => TryAssignUser("real_user.hash")(e.RealUser ??= new User(),v), + "ProcessRealUserHash" => static (e, v) => TryAssignUser("real_user.hash")(e.RealUser ??= new User(),v), + "process.real_user.id" => static (e, v) => TryAssignUser("real_user.id")(e.RealUser ??= new User(),v), + "ProcessRealUserId" => static (e, v) => TryAssignUser("real_user.id")(e.RealUser ??= new User(),v), + "process.real_user.name" => static (e, v) => TryAssignUser("real_user.name")(e.RealUser ??= new User(),v), + "ProcessRealUserName" => static (e, v) => TryAssignUser("real_user.name")(e.RealUser ??= new User(),v), + "process.real_user.group.domain" => static (e, v) => TryAssignUser("real_user.group.domain")(e.RealUser ??= new User(),v), + "ProcessRealUserGroupDomain" => static (e, v) => TryAssignUser("real_user.group.domain")(e.RealUser ??= new User(),v), + "process.real_user.group.id" => static (e, v) => TryAssignUser("real_user.group.id")(e.RealUser ??= new User(),v), + "ProcessRealUserGroupId" => static (e, v) => TryAssignUser("real_user.group.id")(e.RealUser ??= new User(),v), + "process.real_user.group.name" => static (e, v) => TryAssignUser("real_user.group.name")(e.RealUser ??= new User(),v), + "ProcessRealUserGroupName" => static (e, v) => TryAssignUser("real_user.group.name")(e.RealUser ??= new User(),v), + "process.real_user.risk.calculated_level" => static (e, v) => TryAssignUser("real_user.risk.calculated_level")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("real_user.risk.calculated_level")(e.RealUser ??= new User(),v), + "process.real_user.risk.calculated_score" => static (e, v) => TryAssignUser("real_user.risk.calculated_score")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskCalculatedScore" => static (e, v) => TryAssignUser("real_user.risk.calculated_score")(e.RealUser ??= new User(),v), + "process.real_user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("real_user.risk.calculated_score_norm")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("real_user.risk.calculated_score_norm")(e.RealUser ??= new User(),v), + "process.real_user.risk.static_level" => static (e, v) => TryAssignUser("real_user.risk.static_level")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskStaticLevel" => static (e, v) => TryAssignUser("real_user.risk.static_level")(e.RealUser ??= new User(),v), + "process.real_user.risk.static_score" => static (e, v) => TryAssignUser("real_user.risk.static_score")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskStaticScore" => static (e, v) => TryAssignUser("real_user.risk.static_score")(e.RealUser ??= new User(),v), + "process.real_user.risk.static_score_norm" => static (e, v) => TryAssignUser("real_user.risk.static_score_norm")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("real_user.risk.static_score_norm")(e.RealUser ??= new User(),v), + "process.attested_user.domain" => static (e, v) => TryAssignUser("attested_user.domain")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserDomain" => static (e, v) => TryAssignUser("attested_user.domain")(e.AttestedUser ??= new User(),v), + "process.attested_user.email" => static (e, v) => TryAssignUser("attested_user.email")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserEmail" => static (e, v) => TryAssignUser("attested_user.email")(e.AttestedUser ??= new User(),v), + "process.attested_user.full_name" => static (e, v) => TryAssignUser("attested_user.full_name")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserFullName" => static (e, v) => TryAssignUser("attested_user.full_name")(e.AttestedUser ??= new User(),v), + "process.attested_user.hash" => static (e, v) => TryAssignUser("attested_user.hash")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserHash" => static (e, v) => TryAssignUser("attested_user.hash")(e.AttestedUser ??= new User(),v), + "process.attested_user.id" => static (e, v) => TryAssignUser("attested_user.id")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserId" => static (e, v) => TryAssignUser("attested_user.id")(e.AttestedUser ??= new User(),v), + "process.attested_user.name" => static (e, v) => TryAssignUser("attested_user.name")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserName" => static (e, v) => TryAssignUser("attested_user.name")(e.AttestedUser ??= new User(),v), + "process.attested_user.group.domain" => static (e, v) => TryAssignUser("attested_user.group.domain")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserGroupDomain" => static (e, v) => TryAssignUser("attested_user.group.domain")(e.AttestedUser ??= new User(),v), + "process.attested_user.group.id" => static (e, v) => TryAssignUser("attested_user.group.id")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserGroupId" => static (e, v) => TryAssignUser("attested_user.group.id")(e.AttestedUser ??= new User(),v), + "process.attested_user.group.name" => static (e, v) => TryAssignUser("attested_user.group.name")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserGroupName" => static (e, v) => TryAssignUser("attested_user.group.name")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.calculated_level" => static (e, v) => TryAssignUser("attested_user.risk.calculated_level")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("attested_user.risk.calculated_level")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.calculated_score" => static (e, v) => TryAssignUser("attested_user.risk.calculated_score")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskCalculatedScore" => static (e, v) => TryAssignUser("attested_user.risk.calculated_score")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("attested_user.risk.calculated_score_norm")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("attested_user.risk.calculated_score_norm")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.static_level" => static (e, v) => TryAssignUser("attested_user.risk.static_level")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskStaticLevel" => static (e, v) => TryAssignUser("attested_user.risk.static_level")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.static_score" => static (e, v) => TryAssignUser("attested_user.risk.static_score")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskStaticScore" => static (e, v) => TryAssignUser("attested_user.risk.static_score")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.static_score_norm" => static (e, v) => TryAssignUser("attested_user.risk.static_score_norm")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("attested_user.risk.static_score_norm")(e.AttestedUser ??= new User(),v), _ => null }; return assign; @@ -5455,72 +5085,62 @@ public static Func TryAssignServer(string path) "ServerSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "server.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "ServerTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "server.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), - "ServerAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), - "server.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), - "ServerAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), - "server.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "ServerGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "server.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "ServerGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "server.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "ServerGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "server.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "ServerGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "server.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "ServerGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "server.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "ServerGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "server.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "ServerGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "server.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "ServerGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "server.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "ServerGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "server.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "ServerGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "server.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "ServerUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "server.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "ServerUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "server.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "ServerUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "server.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "ServerUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "server.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "ServerUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "server.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "ServerUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "server.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "ServerUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "server.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "ServerUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "server.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "ServerUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "server.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "ServerUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "server.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "ServerUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "server.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "ServerUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "server.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "ServerUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "server.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "ServerUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "server.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "ServerUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "server.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "ServerUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "server.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "ServerUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "server.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "ServerUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "server.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "ServerUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "server.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "ServerUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "server.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), - "ServerUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "server.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "ServerAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "server.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "ServerAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "server.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "ServerGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "server.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "ServerGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "server.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "ServerGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "server.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "ServerGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "server.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "ServerGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "server.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "ServerGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "server.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "ServerGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "server.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "ServerGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "server.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "ServerGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "server.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "ServerGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "server.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "ServerGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "server.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "ServerUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "server.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "ServerUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "server.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "ServerUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "server.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "ServerUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "server.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "ServerUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "server.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "ServerUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "server.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "ServerUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "server.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "ServerUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "server.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "ServerUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "server.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "ServerUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "server.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "ServerUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "server.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "ServerUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "server.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "ServerUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "server.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "ServerUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "server.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "ServerUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), _ => null }; return assign; @@ -5560,26 +5180,6 @@ public static Func TryAssignService(string path) "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "origin.service.address" => static (e, v) => TryAssignServiceOrigin("service.address")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceAddress" => static (e, v) => TryAssignServiceOrigin("service.address")(e.Origin ?? new ServiceOrigin(),v), - "origin.service.environment" => static (e, v) => TryAssignServiceOrigin("service.environment")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceEnvironment" => static (e, v) => TryAssignServiceOrigin("service.environment")(e.Origin ?? new ServiceOrigin(),v), - "origin.service.ephemeral_id" => static (e, v) => TryAssignServiceOrigin("service.ephemeral_id")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceEphemeralId" => static (e, v) => TryAssignServiceOrigin("service.ephemeral_id")(e.Origin ?? new ServiceOrigin(),v), - "origin.service.id" => static (e, v) => TryAssignServiceOrigin("service.id")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceId" => static (e, v) => TryAssignServiceOrigin("service.id")(e.Origin ?? new ServiceOrigin(),v), - "origin.service.name" => static (e, v) => TryAssignServiceOrigin("service.name")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceName" => static (e, v) => TryAssignServiceOrigin("service.name")(e.Origin ?? new ServiceOrigin(),v), - "origin.service.node.name" => static (e, v) => TryAssignServiceOrigin("service.node.name")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceNodeName" => static (e, v) => TryAssignServiceOrigin("service.node.name")(e.Origin ?? new ServiceOrigin(),v), - "origin.service.node.role" => static (e, v) => TryAssignServiceOrigin("service.node.role")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceNodeRole" => static (e, v) => TryAssignServiceOrigin("service.node.role")(e.Origin ?? new ServiceOrigin(),v), - "origin.service.state" => static (e, v) => TryAssignServiceOrigin("service.state")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceState" => static (e, v) => TryAssignServiceOrigin("service.state")(e.Origin ?? new ServiceOrigin(),v), - "origin.service.type" => static (e, v) => TryAssignServiceOrigin("service.type")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceType" => static (e, v) => TryAssignServiceOrigin("service.type")(e.Origin ?? new ServiceOrigin(),v), - "origin.service.version" => static (e, v) => TryAssignServiceOrigin("service.version")(e.Origin ?? new ServiceOrigin(),v), - "OriginServiceVersion" => static (e, v) => TryAssignServiceOrigin("service.version")(e.Origin ?? new ServiceOrigin(),v), _ => null }; return assign; @@ -5623,72 +5223,62 @@ public static Func TryAssignSource(string path) "SourceSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "source.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "SourceTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), - "source.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), - "SourceAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ?? new As(),v), - "source.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), - "SourceAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ?? new As(),v), - "source.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "SourceGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ?? new Geo(),v), - "source.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "SourceGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ?? new Geo(),v), - "source.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "SourceGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ?? new Geo(),v), - "source.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "SourceGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ?? new Geo(),v), - "source.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "SourceGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ?? new Geo(),v), - "source.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "SourceGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ?? new Geo(),v), - "source.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "SourceGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ?? new Geo(),v), - "source.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "SourceGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ?? new Geo(),v), - "source.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "SourceGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ?? new Geo(),v), - "source.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "SourceGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ?? new Geo(),v), - "source.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "SourceUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ?? new User(),v), - "source.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "SourceUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ?? new User(),v), - "source.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "SourceUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ?? new User(),v), - "source.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "SourceUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ?? new User(),v), - "source.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "SourceUserId" => static (e, v) => TryAssignUser("user.id")(e.User ?? new User(),v), - "source.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "SourceUserName" => static (e, v) => TryAssignUser("user.name")(e.User ?? new User(),v), - "source.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "SourceUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ?? new User(),v), - "source.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "SourceUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ?? new User(),v), - "source.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "SourceUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ?? new User(),v), - "source.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "SourceUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ?? new User(),v), - "source.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "SourceUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ?? new User(),v), - "source.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "SourceUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ?? new User(),v), - "source.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "SourceUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ?? new User(),v), - "source.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "SourceUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ?? new User(),v), - "source.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "SourceUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ?? new User(),v), - "source.user.target.user.domain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "SourceUserTargetUserDomain" => static (e, v) => TryAssignUser("target.user.domain")(e.User ?? new User(),v), - "source.user.target.user.email" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "SourceUserTargetUserEmail" => static (e, v) => TryAssignUser("target.user.email")(e.User ?? new User(),v), - "source.user.target.user.full_name" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "SourceUserTargetUserFullName" => static (e, v) => TryAssignUser("target.user.full_name")(e.User ?? new User(),v), - "source.user.target.user.hash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "SourceUserTargetUserHash" => static (e, v) => TryAssignUser("target.user.hash")(e.User ?? new User(),v), - "source.user.target.user.id" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "SourceUserTargetUserId" => static (e, v) => TryAssignUser("target.user.id")(e.User ?? new User(),v), - "source.user.target.user.name" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), - "SourceUserTargetUserName" => static (e, v) => TryAssignUser("target.user.name")(e.User ?? new User(),v), + "source.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "SourceAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "source.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "SourceAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "source.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "SourceGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "source.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "SourceGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "source.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "SourceGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "source.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "SourceGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "source.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "SourceGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "source.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "SourceGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "source.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "SourceGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "source.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "SourceGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "source.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "SourceGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "source.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "SourceGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "source.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "SourceGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "source.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "SourceUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "source.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "SourceUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "source.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "SourceUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "source.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "SourceUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "source.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "SourceUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "source.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "SourceUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "source.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "SourceUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "source.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "SourceUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "source.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "SourceUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "source.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "SourceUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "source.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "SourceUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "source.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "SourceUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "source.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "SourceUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "source.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "SourceUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "source.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "SourceUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), _ => null }; return assign; @@ -5764,280 +5354,282 @@ public static Func TryAssignThreat(string path) "ThreatSoftwareReference" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareReference = p), "threat.software.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareType = p), "ThreatSoftwareType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareType = p), - "threat.indicator.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.IndicatorX509 ?? new X509(),v), - "ThreatIndicatorX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.IndicatorX509 ?? new X509(),v), - "threat.indicator.as.number" => static (e, v) => TryAssignAs("as.number")(e.IndicatorAs ?? new As(),v), - "ThreatIndicatorAsNumber" => static (e, v) => TryAssignAs("as.number")(e.IndicatorAs ?? new As(),v), - "threat.indicator.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.IndicatorAs ?? new As(),v), - "ThreatIndicatorAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.IndicatorAs ?? new As(),v), - "threat.indicator.file.accessed" => static (e, v) => TryAssignFile("file.accessed")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileAccessed" => static (e, v) => TryAssignFile("file.accessed")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.created" => static (e, v) => TryAssignFile("file.created")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCreated" => static (e, v) => TryAssignFile("file.created")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.ctime" => static (e, v) => TryAssignFile("file.ctime")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCtime" => static (e, v) => TryAssignFile("file.ctime")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.device" => static (e, v) => TryAssignFile("file.device")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileDevice" => static (e, v) => TryAssignFile("file.device")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.directory" => static (e, v) => TryAssignFile("file.directory")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileDirectory" => static (e, v) => TryAssignFile("file.directory")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.drive_letter" => static (e, v) => TryAssignFile("file.drive_letter")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileDriveLetter" => static (e, v) => TryAssignFile("file.drive_letter")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.extension" => static (e, v) => TryAssignFile("file.extension")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileExtension" => static (e, v) => TryAssignFile("file.extension")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.fork_name" => static (e, v) => TryAssignFile("file.fork_name")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileForkName" => static (e, v) => TryAssignFile("file.fork_name")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.gid" => static (e, v) => TryAssignFile("file.gid")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileGid" => static (e, v) => TryAssignFile("file.gid")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.group" => static (e, v) => TryAssignFile("file.group")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileGroup" => static (e, v) => TryAssignFile("file.group")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.inode" => static (e, v) => TryAssignFile("file.inode")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileInode" => static (e, v) => TryAssignFile("file.inode")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.mime_type" => static (e, v) => TryAssignFile("file.mime_type")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMimeType" => static (e, v) => TryAssignFile("file.mime_type")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.mode" => static (e, v) => TryAssignFile("file.mode")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMode" => static (e, v) => TryAssignFile("file.mode")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.mtime" => static (e, v) => TryAssignFile("file.mtime")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMtime" => static (e, v) => TryAssignFile("file.mtime")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.name" => static (e, v) => TryAssignFile("file.name")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileName" => static (e, v) => TryAssignFile("file.name")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.owner" => static (e, v) => TryAssignFile("file.owner")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileOwner" => static (e, v) => TryAssignFile("file.owner")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.path" => static (e, v) => TryAssignFile("file.path")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePath" => static (e, v) => TryAssignFile("file.path")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.size" => static (e, v) => TryAssignFile("file.size")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileSize" => static (e, v) => TryAssignFile("file.size")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.target_path" => static (e, v) => TryAssignFile("file.target_path")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileTargetPath" => static (e, v) => TryAssignFile("file.target_path")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.type" => static (e, v) => TryAssignFile("file.type")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileType" => static (e, v) => TryAssignFile("file.type")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.uid" => static (e, v) => TryAssignFile("file.uid")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileUid" => static (e, v) => TryAssignFile("file.uid")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.hash.md5" => static (e, v) => TryAssignFile("file.hash.md5")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileHashMd5" => static (e, v) => TryAssignFile("file.hash.md5")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.hash.sha1" => static (e, v) => TryAssignFile("file.hash.sha1")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileHashSha1" => static (e, v) => TryAssignFile("file.hash.sha1")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.hash.sha256" => static (e, v) => TryAssignFile("file.hash.sha256")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileHashSha256" => static (e, v) => TryAssignFile("file.hash.sha256")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.hash.sha384" => static (e, v) => TryAssignFile("file.hash.sha384")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileHashSha384" => static (e, v) => TryAssignFile("file.hash.sha384")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.hash.sha512" => static (e, v) => TryAssignFile("file.hash.sha512")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileHashSha512" => static (e, v) => TryAssignFile("file.hash.sha512")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.hash.ssdeep" => static (e, v) => TryAssignFile("file.hash.ssdeep")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileHashSsdeep" => static (e, v) => TryAssignFile("file.hash.ssdeep")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.hash.tlsh" => static (e, v) => TryAssignFile("file.hash.tlsh")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileHashTlsh" => static (e, v) => TryAssignFile("file.hash.tlsh")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.architecture" => static (e, v) => TryAssignFile("file.pe.architecture")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeArchitecture" => static (e, v) => TryAssignFile("file.pe.architecture")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.company" => static (e, v) => TryAssignFile("file.pe.company")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeCompany" => static (e, v) => TryAssignFile("file.pe.company")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.description" => static (e, v) => TryAssignFile("file.pe.description")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeDescription" => static (e, v) => TryAssignFile("file.pe.description")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.file_version" => static (e, v) => TryAssignFile("file.pe.file_version")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeFileVersion" => static (e, v) => TryAssignFile("file.pe.file_version")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.go_import_hash" => static (e, v) => TryAssignFile("file.pe.go_import_hash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeGoImportHash" => static (e, v) => TryAssignFile("file.pe.go_import_hash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.go_imports" => static (e, v) => TryAssignFile("file.pe.go_imports")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeGoImports" => static (e, v) => TryAssignFile("file.pe.go_imports")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.go_stripped" => static (e, v) => TryAssignFile("file.pe.go_stripped")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeGoStripped" => static (e, v) => TryAssignFile("file.pe.go_stripped")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.imphash" => static (e, v) => TryAssignFile("file.pe.imphash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeImphash" => static (e, v) => TryAssignFile("file.pe.imphash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.import_hash" => static (e, v) => TryAssignFile("file.pe.import_hash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeImportHash" => static (e, v) => TryAssignFile("file.pe.import_hash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.imports_names_entropy" => static (e, v) => TryAssignFile("file.pe.imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeImportsNamesEntropy" => static (e, v) => TryAssignFile("file.pe.imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.pe.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.pe.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.original_file_name" => static (e, v) => TryAssignFile("file.pe.original_file_name")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeOriginalFileName" => static (e, v) => TryAssignFile("file.pe.original_file_name")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.pehash" => static (e, v) => TryAssignFile("file.pe.pehash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePePehash" => static (e, v) => TryAssignFile("file.pe.pehash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.pe.product" => static (e, v) => TryAssignFile("file.pe.product")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFilePeProduct" => static (e, v) => TryAssignFile("file.pe.product")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.issuer.distinguished_name" => static (e, v) => TryAssignFile("file.x509.issuer.distinguished_name")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509IssuerDistinguishedName" => static (e, v) => TryAssignFile("file.x509.issuer.distinguished_name")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.not_after" => static (e, v) => TryAssignFile("file.x509.not_after")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509NotAfter" => static (e, v) => TryAssignFile("file.x509.not_after")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.not_before" => static (e, v) => TryAssignFile("file.x509.not_before")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509NotBefore" => static (e, v) => TryAssignFile("file.x509.not_before")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.public_key_algorithm" => static (e, v) => TryAssignFile("file.x509.public_key_algorithm")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509PublicKeyAlgorithm" => static (e, v) => TryAssignFile("file.x509.public_key_algorithm")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.public_key_curve" => static (e, v) => TryAssignFile("file.x509.public_key_curve")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509PublicKeyCurve" => static (e, v) => TryAssignFile("file.x509.public_key_curve")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.public_key_exponent" => static (e, v) => TryAssignFile("file.x509.public_key_exponent")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509PublicKeyExponent" => static (e, v) => TryAssignFile("file.x509.public_key_exponent")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.public_key_size" => static (e, v) => TryAssignFile("file.x509.public_key_size")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509PublicKeySize" => static (e, v) => TryAssignFile("file.x509.public_key_size")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.serial_number" => static (e, v) => TryAssignFile("file.x509.serial_number")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509SerialNumber" => static (e, v) => TryAssignFile("file.x509.serial_number")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.signature_algorithm" => static (e, v) => TryAssignFile("file.x509.signature_algorithm")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509SignatureAlgorithm" => static (e, v) => TryAssignFile("file.x509.signature_algorithm")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.subject.distinguished_name" => static (e, v) => TryAssignFile("file.x509.subject.distinguished_name")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509SubjectDistinguishedName" => static (e, v) => TryAssignFile("file.x509.subject.distinguished_name")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.x509.version_number" => static (e, v) => TryAssignFile("file.x509.version_number")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileX509VersionNumber" => static (e, v) => TryAssignFile("file.x509.version_number")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.code_signature.digest_algorithm" => static (e, v) => TryAssignFile("file.code_signature.digest_algorithm")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignFile("file.code_signature.digest_algorithm")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.code_signature.exists" => static (e, v) => TryAssignFile("file.code_signature.exists")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCodeSignatureExists" => static (e, v) => TryAssignFile("file.code_signature.exists")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.code_signature.signing_id" => static (e, v) => TryAssignFile("file.code_signature.signing_id")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCodeSignatureSigningId" => static (e, v) => TryAssignFile("file.code_signature.signing_id")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.code_signature.status" => static (e, v) => TryAssignFile("file.code_signature.status")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCodeSignatureStatus" => static (e, v) => TryAssignFile("file.code_signature.status")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.code_signature.subject_name" => static (e, v) => TryAssignFile("file.code_signature.subject_name")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCodeSignatureSubjectName" => static (e, v) => TryAssignFile("file.code_signature.subject_name")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.code_signature.team_id" => static (e, v) => TryAssignFile("file.code_signature.team_id")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCodeSignatureTeamId" => static (e, v) => TryAssignFile("file.code_signature.team_id")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.code_signature.timestamp" => static (e, v) => TryAssignFile("file.code_signature.timestamp")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCodeSignatureTimestamp" => static (e, v) => TryAssignFile("file.code_signature.timestamp")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.code_signature.trusted" => static (e, v) => TryAssignFile("file.code_signature.trusted")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCodeSignatureTrusted" => static (e, v) => TryAssignFile("file.code_signature.trusted")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.code_signature.valid" => static (e, v) => TryAssignFile("file.code_signature.valid")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileCodeSignatureValid" => static (e, v) => TryAssignFile("file.code_signature.valid")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.architecture" => static (e, v) => TryAssignFile("file.elf.architecture")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfArchitecture" => static (e, v) => TryAssignFile("file.elf.architecture")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.byte_order" => static (e, v) => TryAssignFile("file.elf.byte_order")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfByteOrder" => static (e, v) => TryAssignFile("file.elf.byte_order")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.cpu_type" => static (e, v) => TryAssignFile("file.elf.cpu_type")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfCpuType" => static (e, v) => TryAssignFile("file.elf.cpu_type")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.creation_date" => static (e, v) => TryAssignFile("file.elf.creation_date")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfCreationDate" => static (e, v) => TryAssignFile("file.elf.creation_date")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.go_import_hash" => static (e, v) => TryAssignFile("file.elf.go_import_hash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfGoImportHash" => static (e, v) => TryAssignFile("file.elf.go_import_hash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.go_imports" => static (e, v) => TryAssignFile("file.elf.go_imports")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfGoImports" => static (e, v) => TryAssignFile("file.elf.go_imports")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.go_stripped" => static (e, v) => TryAssignFile("file.elf.go_stripped")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfGoStripped" => static (e, v) => TryAssignFile("file.elf.go_stripped")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.header.abi_version" => static (e, v) => TryAssignFile("file.elf.header.abi_version")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfHeaderAbiVersion" => static (e, v) => TryAssignFile("file.elf.header.abi_version")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.header.class" => static (e, v) => TryAssignFile("file.elf.header.class")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfHeaderClass" => static (e, v) => TryAssignFile("file.elf.header.class")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.header.data" => static (e, v) => TryAssignFile("file.elf.header.data")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfHeaderData" => static (e, v) => TryAssignFile("file.elf.header.data")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.header.entrypoint" => static (e, v) => TryAssignFile("file.elf.header.entrypoint")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfHeaderEntrypoint" => static (e, v) => TryAssignFile("file.elf.header.entrypoint")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.header.object_version" => static (e, v) => TryAssignFile("file.elf.header.object_version")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfHeaderObjectVersion" => static (e, v) => TryAssignFile("file.elf.header.object_version")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.header.os_abi" => static (e, v) => TryAssignFile("file.elf.header.os_abi")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfHeaderOsAbi" => static (e, v) => TryAssignFile("file.elf.header.os_abi")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.header.type" => static (e, v) => TryAssignFile("file.elf.header.type")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfHeaderType" => static (e, v) => TryAssignFile("file.elf.header.type")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.header.version" => static (e, v) => TryAssignFile("file.elf.header.version")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfHeaderVersion" => static (e, v) => TryAssignFile("file.elf.header.version")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.import_hash" => static (e, v) => TryAssignFile("file.elf.import_hash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfImportHash" => static (e, v) => TryAssignFile("file.elf.import_hash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.imports_names_entropy" => static (e, v) => TryAssignFile("file.elf.imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfImportsNamesEntropy" => static (e, v) => TryAssignFile("file.elf.imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.elf.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.elf.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.elf.telfhash" => static (e, v) => TryAssignFile("file.elf.telfhash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileElfTelfhash" => static (e, v) => TryAssignFile("file.elf.telfhash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.macho.go_import_hash" => static (e, v) => TryAssignFile("file.macho.go_import_hash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMachoGoImportHash" => static (e, v) => TryAssignFile("file.macho.go_import_hash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.macho.go_imports" => static (e, v) => TryAssignFile("file.macho.go_imports")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMachoGoImports" => static (e, v) => TryAssignFile("file.macho.go_imports")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.macho.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMachoGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.macho.go_stripped" => static (e, v) => TryAssignFile("file.macho.go_stripped")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMachoGoStripped" => static (e, v) => TryAssignFile("file.macho.go_stripped")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.macho.import_hash" => static (e, v) => TryAssignFile("file.macho.import_hash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMachoImportHash" => static (e, v) => TryAssignFile("file.macho.import_hash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.macho.imports_names_entropy" => static (e, v) => TryAssignFile("file.macho.imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMachoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.macho.imports_names_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.macho.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.macho.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMachoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.macho.imports_names_var_entropy")(e.IndicatorFile ?? new File(),v), - "threat.indicator.file.macho.symhash" => static (e, v) => TryAssignFile("file.macho.symhash")(e.IndicatorFile ?? new File(),v), - "ThreatIndicatorFileMachoSymhash" => static (e, v) => TryAssignFile("file.macho.symhash")(e.IndicatorFile ?? new File(),v), - "threat.indicator.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.IndicatorGeo ?? new Geo(),v), - "ThreatIndicatorGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.IndicatorGeo ?? new Geo(),v), - "threat.indicator.registry.data.bytes" => static (e, v) => TryAssignRegistry("registry.data.bytes")(e.IndicatorRegistry ?? new Registry(),v), - "ThreatIndicatorRegistryDataBytes" => static (e, v) => TryAssignRegistry("registry.data.bytes")(e.IndicatorRegistry ?? new Registry(),v), - "threat.indicator.registry.data.type" => static (e, v) => TryAssignRegistry("registry.data.type")(e.IndicatorRegistry ?? new Registry(),v), - "ThreatIndicatorRegistryDataType" => static (e, v) => TryAssignRegistry("registry.data.type")(e.IndicatorRegistry ?? new Registry(),v), - "threat.indicator.registry.hive" => static (e, v) => TryAssignRegistry("registry.hive")(e.IndicatorRegistry ?? new Registry(),v), - "ThreatIndicatorRegistryHive" => static (e, v) => TryAssignRegistry("registry.hive")(e.IndicatorRegistry ?? new Registry(),v), - "threat.indicator.registry.key" => static (e, v) => TryAssignRegistry("registry.key")(e.IndicatorRegistry ?? new Registry(),v), - "ThreatIndicatorRegistryKey" => static (e, v) => TryAssignRegistry("registry.key")(e.IndicatorRegistry ?? new Registry(),v), - "threat.indicator.registry.path" => static (e, v) => TryAssignRegistry("registry.path")(e.IndicatorRegistry ?? new Registry(),v), - "ThreatIndicatorRegistryPath" => static (e, v) => TryAssignRegistry("registry.path")(e.IndicatorRegistry ?? new Registry(),v), - "threat.indicator.registry.value" => static (e, v) => TryAssignRegistry("registry.value")(e.IndicatorRegistry ?? new Registry(),v), - "ThreatIndicatorRegistryValue" => static (e, v) => TryAssignRegistry("registry.value")(e.IndicatorRegistry ?? new Registry(),v), - "threat.indicator.url.domain" => static (e, v) => TryAssignUrl("url.domain")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlDomain" => static (e, v) => TryAssignUrl("url.domain")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.extension" => static (e, v) => TryAssignUrl("url.extension")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlExtension" => static (e, v) => TryAssignUrl("url.extension")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.fragment" => static (e, v) => TryAssignUrl("url.fragment")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlFragment" => static (e, v) => TryAssignUrl("url.fragment")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.full" => static (e, v) => TryAssignUrl("url.full")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlFull" => static (e, v) => TryAssignUrl("url.full")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.original" => static (e, v) => TryAssignUrl("url.original")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlOriginal" => static (e, v) => TryAssignUrl("url.original")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.password" => static (e, v) => TryAssignUrl("url.password")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlPassword" => static (e, v) => TryAssignUrl("url.password")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.path" => static (e, v) => TryAssignUrl("url.path")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlPath" => static (e, v) => TryAssignUrl("url.path")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.port" => static (e, v) => TryAssignUrl("url.port")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlPort" => static (e, v) => TryAssignUrl("url.port")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.query" => static (e, v) => TryAssignUrl("url.query")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlQuery" => static (e, v) => TryAssignUrl("url.query")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.registered_domain" => static (e, v) => TryAssignUrl("url.registered_domain")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlRegisteredDomain" => static (e, v) => TryAssignUrl("url.registered_domain")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.scheme" => static (e, v) => TryAssignUrl("url.scheme")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlScheme" => static (e, v) => TryAssignUrl("url.scheme")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.subdomain" => static (e, v) => TryAssignUrl("url.subdomain")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlSubdomain" => static (e, v) => TryAssignUrl("url.subdomain")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.top_level_domain" => static (e, v) => TryAssignUrl("url.top_level_domain")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlTopLevelDomain" => static (e, v) => TryAssignUrl("url.top_level_domain")(e.IndicatorUrl ?? new Url(),v), - "threat.indicator.url.username" => static (e, v) => TryAssignUrl("url.username")(e.IndicatorUrl ?? new Url(),v), - "ThreatIndicatorUrlUsername" => static (e, v) => TryAssignUrl("url.username")(e.IndicatorUrl ?? new Url(),v), + "threat.indicator.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.as.number" => static (e, v) => TryAssignAs("as.number")(e.IndicatorAs ??= new As(),v), + "ThreatIndicatorAsNumber" => static (e, v) => TryAssignAs("as.number")(e.IndicatorAs ??= new As(),v), + "threat.indicator.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.IndicatorAs ??= new As(),v), + "ThreatIndicatorAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.IndicatorAs ??= new As(),v), + "threat.indicator.file.accessed" => static (e, v) => TryAssignFile("file.accessed")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileAccessed" => static (e, v) => TryAssignFile("file.accessed")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.created" => static (e, v) => TryAssignFile("file.created")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCreated" => static (e, v) => TryAssignFile("file.created")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.ctime" => static (e, v) => TryAssignFile("file.ctime")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCtime" => static (e, v) => TryAssignFile("file.ctime")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.device" => static (e, v) => TryAssignFile("file.device")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileDevice" => static (e, v) => TryAssignFile("file.device")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.directory" => static (e, v) => TryAssignFile("file.directory")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileDirectory" => static (e, v) => TryAssignFile("file.directory")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.drive_letter" => static (e, v) => TryAssignFile("file.drive_letter")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileDriveLetter" => static (e, v) => TryAssignFile("file.drive_letter")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.extension" => static (e, v) => TryAssignFile("file.extension")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileExtension" => static (e, v) => TryAssignFile("file.extension")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.fork_name" => static (e, v) => TryAssignFile("file.fork_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileForkName" => static (e, v) => TryAssignFile("file.fork_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.gid" => static (e, v) => TryAssignFile("file.gid")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileGid" => static (e, v) => TryAssignFile("file.gid")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.group" => static (e, v) => TryAssignFile("file.group")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileGroup" => static (e, v) => TryAssignFile("file.group")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.inode" => static (e, v) => TryAssignFile("file.inode")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileInode" => static (e, v) => TryAssignFile("file.inode")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.mime_type" => static (e, v) => TryAssignFile("file.mime_type")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMimeType" => static (e, v) => TryAssignFile("file.mime_type")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.mode" => static (e, v) => TryAssignFile("file.mode")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMode" => static (e, v) => TryAssignFile("file.mode")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.mtime" => static (e, v) => TryAssignFile("file.mtime")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMtime" => static (e, v) => TryAssignFile("file.mtime")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.name" => static (e, v) => TryAssignFile("file.name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileName" => static (e, v) => TryAssignFile("file.name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.owner" => static (e, v) => TryAssignFile("file.owner")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileOwner" => static (e, v) => TryAssignFile("file.owner")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.path" => static (e, v) => TryAssignFile("file.path")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePath" => static (e, v) => TryAssignFile("file.path")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.size" => static (e, v) => TryAssignFile("file.size")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileSize" => static (e, v) => TryAssignFile("file.size")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.target_path" => static (e, v) => TryAssignFile("file.target_path")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileTargetPath" => static (e, v) => TryAssignFile("file.target_path")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.type" => static (e, v) => TryAssignFile("file.type")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileType" => static (e, v) => TryAssignFile("file.type")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.uid" => static (e, v) => TryAssignFile("file.uid")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileUid" => static (e, v) => TryAssignFile("file.uid")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.md5" => static (e, v) => TryAssignFile("file.hash.md5")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashMd5" => static (e, v) => TryAssignFile("file.hash.md5")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.sha1" => static (e, v) => TryAssignFile("file.hash.sha1")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSha1" => static (e, v) => TryAssignFile("file.hash.sha1")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.sha256" => static (e, v) => TryAssignFile("file.hash.sha256")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSha256" => static (e, v) => TryAssignFile("file.hash.sha256")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.sha384" => static (e, v) => TryAssignFile("file.hash.sha384")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSha384" => static (e, v) => TryAssignFile("file.hash.sha384")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.sha512" => static (e, v) => TryAssignFile("file.hash.sha512")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSha512" => static (e, v) => TryAssignFile("file.hash.sha512")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.ssdeep" => static (e, v) => TryAssignFile("file.hash.ssdeep")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSsdeep" => static (e, v) => TryAssignFile("file.hash.ssdeep")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.tlsh" => static (e, v) => TryAssignFile("file.hash.tlsh")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashTlsh" => static (e, v) => TryAssignFile("file.hash.tlsh")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.architecture" => static (e, v) => TryAssignFile("file.pe.architecture")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeArchitecture" => static (e, v) => TryAssignFile("file.pe.architecture")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.company" => static (e, v) => TryAssignFile("file.pe.company")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeCompany" => static (e, v) => TryAssignFile("file.pe.company")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.description" => static (e, v) => TryAssignFile("file.pe.description")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeDescription" => static (e, v) => TryAssignFile("file.pe.description")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.file_version" => static (e, v) => TryAssignFile("file.pe.file_version")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeFileVersion" => static (e, v) => TryAssignFile("file.pe.file_version")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_import_hash" => static (e, v) => TryAssignFile("file.pe.go_import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoImportHash" => static (e, v) => TryAssignFile("file.pe.go_import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_imports" => static (e, v) => TryAssignFile("file.pe.go_imports")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoImports" => static (e, v) => TryAssignFile("file.pe.go_imports")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_stripped" => static (e, v) => TryAssignFile("file.pe.go_stripped")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoStripped" => static (e, v) => TryAssignFile("file.pe.go_stripped")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.imphash" => static (e, v) => TryAssignFile("file.pe.imphash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeImphash" => static (e, v) => TryAssignFile("file.pe.imphash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.import_hash" => static (e, v) => TryAssignFile("file.pe.import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeImportHash" => static (e, v) => TryAssignFile("file.pe.import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.imports_names_entropy" => static (e, v) => TryAssignFile("file.pe.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeImportsNamesEntropy" => static (e, v) => TryAssignFile("file.pe.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.pe.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.pe.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.original_file_name" => static (e, v) => TryAssignFile("file.pe.original_file_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeOriginalFileName" => static (e, v) => TryAssignFile("file.pe.original_file_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.pehash" => static (e, v) => TryAssignFile("file.pe.pehash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePePehash" => static (e, v) => TryAssignFile("file.pe.pehash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.product" => static (e, v) => TryAssignFile("file.pe.product")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeProduct" => static (e, v) => TryAssignFile("file.pe.product")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.issuer.distinguished_name" => static (e, v) => TryAssignFile("file.x509.issuer.distinguished_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509IssuerDistinguishedName" => static (e, v) => TryAssignFile("file.x509.issuer.distinguished_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.not_after" => static (e, v) => TryAssignFile("file.x509.not_after")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509NotAfter" => static (e, v) => TryAssignFile("file.x509.not_after")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.not_before" => static (e, v) => TryAssignFile("file.x509.not_before")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509NotBefore" => static (e, v) => TryAssignFile("file.x509.not_before")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.public_key_algorithm" => static (e, v) => TryAssignFile("file.x509.public_key_algorithm")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509PublicKeyAlgorithm" => static (e, v) => TryAssignFile("file.x509.public_key_algorithm")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.public_key_curve" => static (e, v) => TryAssignFile("file.x509.public_key_curve")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509PublicKeyCurve" => static (e, v) => TryAssignFile("file.x509.public_key_curve")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.public_key_exponent" => static (e, v) => TryAssignFile("file.x509.public_key_exponent")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509PublicKeyExponent" => static (e, v) => TryAssignFile("file.x509.public_key_exponent")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.public_key_size" => static (e, v) => TryAssignFile("file.x509.public_key_size")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509PublicKeySize" => static (e, v) => TryAssignFile("file.x509.public_key_size")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.serial_number" => static (e, v) => TryAssignFile("file.x509.serial_number")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509SerialNumber" => static (e, v) => TryAssignFile("file.x509.serial_number")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.signature_algorithm" => static (e, v) => TryAssignFile("file.x509.signature_algorithm")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509SignatureAlgorithm" => static (e, v) => TryAssignFile("file.x509.signature_algorithm")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.subject.distinguished_name" => static (e, v) => TryAssignFile("file.x509.subject.distinguished_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509SubjectDistinguishedName" => static (e, v) => TryAssignFile("file.x509.subject.distinguished_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.version_number" => static (e, v) => TryAssignFile("file.x509.version_number")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509VersionNumber" => static (e, v) => TryAssignFile("file.x509.version_number")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.digest_algorithm" => static (e, v) => TryAssignFile("file.code_signature.digest_algorithm")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignFile("file.code_signature.digest_algorithm")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.exists" => static (e, v) => TryAssignFile("file.code_signature.exists")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureExists" => static (e, v) => TryAssignFile("file.code_signature.exists")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.signing_id" => static (e, v) => TryAssignFile("file.code_signature.signing_id")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureSigningId" => static (e, v) => TryAssignFile("file.code_signature.signing_id")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.status" => static (e, v) => TryAssignFile("file.code_signature.status")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureStatus" => static (e, v) => TryAssignFile("file.code_signature.status")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.subject_name" => static (e, v) => TryAssignFile("file.code_signature.subject_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureSubjectName" => static (e, v) => TryAssignFile("file.code_signature.subject_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.team_id" => static (e, v) => TryAssignFile("file.code_signature.team_id")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureTeamId" => static (e, v) => TryAssignFile("file.code_signature.team_id")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.timestamp" => static (e, v) => TryAssignFile("file.code_signature.timestamp")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureTimestamp" => static (e, v) => TryAssignFile("file.code_signature.timestamp")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.trusted" => static (e, v) => TryAssignFile("file.code_signature.trusted")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureTrusted" => static (e, v) => TryAssignFile("file.code_signature.trusted")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.valid" => static (e, v) => TryAssignFile("file.code_signature.valid")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureValid" => static (e, v) => TryAssignFile("file.code_signature.valid")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.architecture" => static (e, v) => TryAssignFile("file.elf.architecture")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfArchitecture" => static (e, v) => TryAssignFile("file.elf.architecture")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.byte_order" => static (e, v) => TryAssignFile("file.elf.byte_order")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfByteOrder" => static (e, v) => TryAssignFile("file.elf.byte_order")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.cpu_type" => static (e, v) => TryAssignFile("file.elf.cpu_type")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfCpuType" => static (e, v) => TryAssignFile("file.elf.cpu_type")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.creation_date" => static (e, v) => TryAssignFile("file.elf.creation_date")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfCreationDate" => static (e, v) => TryAssignFile("file.elf.creation_date")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_import_hash" => static (e, v) => TryAssignFile("file.elf.go_import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoImportHash" => static (e, v) => TryAssignFile("file.elf.go_import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_imports" => static (e, v) => TryAssignFile("file.elf.go_imports")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoImports" => static (e, v) => TryAssignFile("file.elf.go_imports")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_stripped" => static (e, v) => TryAssignFile("file.elf.go_stripped")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoStripped" => static (e, v) => TryAssignFile("file.elf.go_stripped")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.abi_version" => static (e, v) => TryAssignFile("file.elf.header.abi_version")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderAbiVersion" => static (e, v) => TryAssignFile("file.elf.header.abi_version")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.class" => static (e, v) => TryAssignFile("file.elf.header.class")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderClass" => static (e, v) => TryAssignFile("file.elf.header.class")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.data" => static (e, v) => TryAssignFile("file.elf.header.data")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderData" => static (e, v) => TryAssignFile("file.elf.header.data")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.entrypoint" => static (e, v) => TryAssignFile("file.elf.header.entrypoint")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderEntrypoint" => static (e, v) => TryAssignFile("file.elf.header.entrypoint")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.object_version" => static (e, v) => TryAssignFile("file.elf.header.object_version")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderObjectVersion" => static (e, v) => TryAssignFile("file.elf.header.object_version")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.os_abi" => static (e, v) => TryAssignFile("file.elf.header.os_abi")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderOsAbi" => static (e, v) => TryAssignFile("file.elf.header.os_abi")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.type" => static (e, v) => TryAssignFile("file.elf.header.type")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderType" => static (e, v) => TryAssignFile("file.elf.header.type")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.version" => static (e, v) => TryAssignFile("file.elf.header.version")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderVersion" => static (e, v) => TryAssignFile("file.elf.header.version")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.import_hash" => static (e, v) => TryAssignFile("file.elf.import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfImportHash" => static (e, v) => TryAssignFile("file.elf.import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.imports_names_entropy" => static (e, v) => TryAssignFile("file.elf.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfImportsNamesEntropy" => static (e, v) => TryAssignFile("file.elf.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.elf.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.elf.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.telfhash" => static (e, v) => TryAssignFile("file.elf.telfhash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfTelfhash" => static (e, v) => TryAssignFile("file.elf.telfhash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_import_hash" => static (e, v) => TryAssignFile("file.macho.go_import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoImportHash" => static (e, v) => TryAssignFile("file.macho.go_import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_imports" => static (e, v) => TryAssignFile("file.macho.go_imports")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoImports" => static (e, v) => TryAssignFile("file.macho.go_imports")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_stripped" => static (e, v) => TryAssignFile("file.macho.go_stripped")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoStripped" => static (e, v) => TryAssignFile("file.macho.go_stripped")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.import_hash" => static (e, v) => TryAssignFile("file.macho.import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoImportHash" => static (e, v) => TryAssignFile("file.macho.import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.imports_names_entropy" => static (e, v) => TryAssignFile("file.macho.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.macho.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.macho.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.macho.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.symhash" => static (e, v) => TryAssignFile("file.macho.symhash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoSymhash" => static (e, v) => TryAssignFile("file.macho.symhash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.registry.data.bytes" => static (e, v) => TryAssignRegistry("registry.data.bytes")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryDataBytes" => static (e, v) => TryAssignRegistry("registry.data.bytes")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.data.type" => static (e, v) => TryAssignRegistry("registry.data.type")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryDataType" => static (e, v) => TryAssignRegistry("registry.data.type")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.hive" => static (e, v) => TryAssignRegistry("registry.hive")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryHive" => static (e, v) => TryAssignRegistry("registry.hive")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.key" => static (e, v) => TryAssignRegistry("registry.key")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryKey" => static (e, v) => TryAssignRegistry("registry.key")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.path" => static (e, v) => TryAssignRegistry("registry.path")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryPath" => static (e, v) => TryAssignRegistry("registry.path")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.value" => static (e, v) => TryAssignRegistry("registry.value")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryValue" => static (e, v) => TryAssignRegistry("registry.value")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.url.domain" => static (e, v) => TryAssignUrl("url.domain")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlDomain" => static (e, v) => TryAssignUrl("url.domain")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.extension" => static (e, v) => TryAssignUrl("url.extension")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlExtension" => static (e, v) => TryAssignUrl("url.extension")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.fragment" => static (e, v) => TryAssignUrl("url.fragment")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlFragment" => static (e, v) => TryAssignUrl("url.fragment")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.full" => static (e, v) => TryAssignUrl("url.full")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlFull" => static (e, v) => TryAssignUrl("url.full")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.original" => static (e, v) => TryAssignUrl("url.original")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlOriginal" => static (e, v) => TryAssignUrl("url.original")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.password" => static (e, v) => TryAssignUrl("url.password")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlPassword" => static (e, v) => TryAssignUrl("url.password")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.path" => static (e, v) => TryAssignUrl("url.path")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlPath" => static (e, v) => TryAssignUrl("url.path")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.port" => static (e, v) => TryAssignUrl("url.port")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlPort" => static (e, v) => TryAssignUrl("url.port")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.query" => static (e, v) => TryAssignUrl("url.query")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlQuery" => static (e, v) => TryAssignUrl("url.query")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.registered_domain" => static (e, v) => TryAssignUrl("url.registered_domain")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlRegisteredDomain" => static (e, v) => TryAssignUrl("url.registered_domain")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.scheme" => static (e, v) => TryAssignUrl("url.scheme")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlScheme" => static (e, v) => TryAssignUrl("url.scheme")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.subdomain" => static (e, v) => TryAssignUrl("url.subdomain")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlSubdomain" => static (e, v) => TryAssignUrl("url.subdomain")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.top_level_domain" => static (e, v) => TryAssignUrl("url.top_level_domain")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlTopLevelDomain" => static (e, v) => TryAssignUrl("url.top_level_domain")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.username" => static (e, v) => TryAssignUrl("url.username")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlUsername" => static (e, v) => TryAssignUrl("url.username")(e.IndicatorUrl ??= new Url(),v), _ => null }; return assign; @@ -6109,28 +5701,28 @@ public static Func TryAssignTls(string path) "TlsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "tls.version_protocol" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionProtocol = p), "TlsVersionProtocol" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionProtocol = p), - "tls.client.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.ClientX509 ?? new X509(),v), - "TlsClientX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.ClientX509 ?? new X509(),v), - "TlsClientX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.ClientX509 ?? new X509(),v), - "TlsClientX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.ClientX509 ?? new X509(),v), - "TlsClientX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.ClientX509 ?? new X509(),v), - "TlsClientX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.ClientX509 ?? new X509(),v), - "TlsClientX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.ClientX509 ?? new X509(),v), - "TlsClientX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.ClientX509 ?? new X509(),v), - "TlsClientX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.ClientX509 ?? new X509(),v), - "TlsClientX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.ClientX509 ?? new X509(),v), - "TlsClientX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.ClientX509 ?? new X509(),v), - "tls.client.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.ClientX509 ?? new X509(),v), - "TlsClientX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.ClientX509 ?? new X509(),v), + "tls.client.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.ClientX509 ??= new X509(),v), + "TlsClientX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.ClientX509 ??= new X509(),v), + "TlsClientX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.ClientX509 ??= new X509(),v), + "TlsClientX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.ClientX509 ??= new X509(),v), + "TlsClientX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.ClientX509 ??= new X509(),v), + "TlsClientX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.ClientX509 ??= new X509(),v), + "TlsClientX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.ClientX509 ??= new X509(),v), + "TlsClientX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.ClientX509 ??= new X509(),v), + "TlsClientX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.ClientX509 ??= new X509(),v), + "TlsClientX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.ClientX509 ??= new X509(),v), + "TlsClientX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.ClientX509 ??= new X509(),v), + "TlsClientX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.ClientX509 ??= new X509(),v), _ => null }; return assign; @@ -6209,36 +5801,24 @@ public static Func TryAssignUser(string path) "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "user.group.domain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ?? new Group(),v), - "UserGroupDomain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ?? new Group(),v), - "user.group.id" => static (e, v) => TryAssignGroup("group.id")(e.Group ?? new Group(),v), - "UserGroupId" => static (e, v) => TryAssignGroup("group.id")(e.Group ?? new Group(),v), - "user.group.name" => static (e, v) => TryAssignGroup("group.name")(e.Group ?? new Group(),v), - "UserGroupName" => static (e, v) => TryAssignGroup("group.name")(e.Group ?? new Group(),v), - "user.risk.calculated_level" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ?? new Risk(),v), - "UserRiskCalculatedLevel" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ?? new Risk(),v), - "user.risk.calculated_score" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ?? new Risk(),v), - "UserRiskCalculatedScore" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ?? new Risk(),v), - "user.risk.calculated_score_norm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ?? new Risk(),v), - "UserRiskCalculatedScoreNorm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ?? new Risk(),v), - "user.risk.static_level" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ?? new Risk(),v), - "UserRiskStaticLevel" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ?? new Risk(),v), - "user.risk.static_score" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ?? new Risk(),v), - "UserRiskStaticScore" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ?? new Risk(),v), - "user.risk.static_score_norm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ?? new Risk(),v), - "UserRiskStaticScoreNorm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ?? new Risk(),v), - "target.user.domain" => static (e, v) => TryAssignUserTarget("user.domain")(e.Target ?? new UserTarget(),v), - "TargetUserDomain" => static (e, v) => TryAssignUserTarget("user.domain")(e.Target ?? new UserTarget(),v), - "target.user.email" => static (e, v) => TryAssignUserTarget("user.email")(e.Target ?? new UserTarget(),v), - "TargetUserEmail" => static (e, v) => TryAssignUserTarget("user.email")(e.Target ?? new UserTarget(),v), - "target.user.full_name" => static (e, v) => TryAssignUserTarget("user.full_name")(e.Target ?? new UserTarget(),v), - "TargetUserFullName" => static (e, v) => TryAssignUserTarget("user.full_name")(e.Target ?? new UserTarget(),v), - "target.user.hash" => static (e, v) => TryAssignUserTarget("user.hash")(e.Target ?? new UserTarget(),v), - "TargetUserHash" => static (e, v) => TryAssignUserTarget("user.hash")(e.Target ?? new UserTarget(),v), - "target.user.id" => static (e, v) => TryAssignUserTarget("user.id")(e.Target ?? new UserTarget(),v), - "TargetUserId" => static (e, v) => TryAssignUserTarget("user.id")(e.Target ?? new UserTarget(),v), - "target.user.name" => static (e, v) => TryAssignUserTarget("user.name")(e.Target ?? new UserTarget(),v), - "TargetUserName" => static (e, v) => TryAssignUserTarget("user.name")(e.Target ?? new UserTarget(),v), + "user.group.domain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ??= new Group(),v), + "UserGroupDomain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ??= new Group(),v), + "user.group.id" => static (e, v) => TryAssignGroup("group.id")(e.Group ??= new Group(),v), + "UserGroupId" => static (e, v) => TryAssignGroup("group.id")(e.Group ??= new Group(),v), + "user.group.name" => static (e, v) => TryAssignGroup("group.name")(e.Group ??= new Group(),v), + "UserGroupName" => static (e, v) => TryAssignGroup("group.name")(e.Group ??= new Group(),v), + "user.risk.calculated_level" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ??= new Risk(),v), + "UserRiskCalculatedLevel" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ??= new Risk(),v), + "user.risk.calculated_score" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ??= new Risk(),v), + "UserRiskCalculatedScore" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ??= new Risk(),v), + "user.risk.calculated_score_norm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ??= new Risk(),v), + "UserRiskCalculatedScoreNorm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ??= new Risk(),v), + "user.risk.static_level" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ??= new Risk(),v), + "UserRiskStaticLevel" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ??= new Risk(),v), + "user.risk.static_score" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ??= new Risk(),v), + "UserRiskStaticScore" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ??= new Risk(),v), + "user.risk.static_score_norm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ??= new Risk(),v), + "UserRiskStaticScoreNorm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ??= new Risk(),v), _ => null }; return assign; @@ -6266,20 +5846,20 @@ public static Func TryAssignUserAgent(string path) "UserAgentOriginal" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Original = p), "user_agent.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "UserAgentVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "user_agent.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), - "UserAgentOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ?? new Os(),v), - "user_agent.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), - "UserAgentOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ?? new Os(),v), - "user_agent.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), - "UserAgentOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ?? new Os(),v), - "user_agent.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), - "UserAgentOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ?? new Os(),v), - "user_agent.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), - "UserAgentOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ?? new Os(),v), - "user_agent.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), - "UserAgentOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ?? new Os(),v), - "user_agent.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), - "UserAgentOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ?? new Os(),v), + "user_agent.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "UserAgentOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "user_agent.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "UserAgentOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "user_agent.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "UserAgentOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "user_agent.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "UserAgentOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "user_agent.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "UserAgentOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "user_agent.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "UserAgentOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "user_agent.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), + "UserAgentOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), _ => null }; return assign; @@ -6401,973 +5981,5 @@ public static bool TrySetX509(IX509 document, string path, object value) if (assigned) document.X509 = entity; return assigned; } - - public static Func TryAssignCloudOrigin(string path) - { - Func assign = path switch - { - "cloud.account.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), - "CloudAccountId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), - "cloud.account.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountName = p), - "CloudAccountName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountName = p), - "cloud.availability_zone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AvailabilityZone = p), - "CloudAvailabilityZone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AvailabilityZone = p), - "cloud.instance.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceId = p), - "CloudInstanceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceId = p), - "cloud.instance.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceName = p), - "CloudInstanceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceName = p), - "cloud.machine.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), - "CloudMachineType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), - "cloud.project.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), - "CloudProjectId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), - "cloud.project.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), - "CloudProjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), - "cloud.provider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), - "CloudProvider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), - "cloud.region" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), - "CloudRegion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), - "cloud.service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), - "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), - _ => null - }; - return assign; - } - public static bool TrySetCloudOrigin(ICloudOrigin document, string path, object value) - { - var assign = TryAssignCloudOrigin(path); - if (assign == null) return false; - - var entity = document.Origin ?? new CloudOrigin(); - var assigned = assign(entity, value); - if (assigned) document.Origin = entity; - return assigned; - } - - public static Func TryAssignCloudTarget(string path) - { - Func assign = path switch - { - "cloud.account.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), - "CloudAccountId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountId = p), - "cloud.account.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountName = p), - "CloudAccountName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AccountName = p), - "cloud.availability_zone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AvailabilityZone = p), - "CloudAvailabilityZone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.AvailabilityZone = p), - "cloud.instance.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceId = p), - "CloudInstanceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceId = p), - "cloud.instance.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceName = p), - "CloudInstanceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.InstanceName = p), - "cloud.machine.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), - "CloudMachineType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.MachineType = p), - "cloud.project.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), - "CloudProjectId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectId = p), - "cloud.project.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), - "CloudProjectName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ProjectName = p), - "cloud.provider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), - "CloudProvider" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Provider = p), - "cloud.region" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), - "CloudRegion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Region = p), - "cloud.service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), - "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), - _ => null - }; - return assign; - } - public static bool TrySetCloudTarget(ICloudTarget document, string path, object value) - { - var assign = TryAssignCloudTarget(path); - if (assign == null) return false; - - var entity = document.Target ?? new CloudTarget(); - var assigned = assign(entity, value); - if (assigned) document.Target = entity; - return assigned; - } - - public static Func TryAssignProcessParent(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "parent.group_leader.process.args_count" => static (e, v) => TryAssignProcessParentGroupLeader("process.args_count")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessArgsCount" => static (e, v) => TryAssignProcessParentGroupLeader("process.args_count")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.command_line" => static (e, v) => TryAssignProcessParentGroupLeader("process.command_line")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessCommandLine" => static (e, v) => TryAssignProcessParentGroupLeader("process.command_line")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.end" => static (e, v) => TryAssignProcessParentGroupLeader("process.end")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessEnd" => static (e, v) => TryAssignProcessParentGroupLeader("process.end")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.entity_id" => static (e, v) => TryAssignProcessParentGroupLeader("process.entity_id")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessEntityId" => static (e, v) => TryAssignProcessParentGroupLeader("process.entity_id")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.executable" => static (e, v) => TryAssignProcessParentGroupLeader("process.executable")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessExecutable" => static (e, v) => TryAssignProcessParentGroupLeader("process.executable")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.exit_code" => static (e, v) => TryAssignProcessParentGroupLeader("process.exit_code")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessExitCode" => static (e, v) => TryAssignProcessParentGroupLeader("process.exit_code")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.interactive" => static (e, v) => TryAssignProcessParentGroupLeader("process.interactive")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessInteractive" => static (e, v) => TryAssignProcessParentGroupLeader("process.interactive")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.name" => static (e, v) => TryAssignProcessParentGroupLeader("process.name")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessName" => static (e, v) => TryAssignProcessParentGroupLeader("process.name")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.pgid" => static (e, v) => TryAssignProcessParentGroupLeader("process.pgid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessPgid" => static (e, v) => TryAssignProcessParentGroupLeader("process.pgid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.pid" => static (e, v) => TryAssignProcessParentGroupLeader("process.pid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessPid" => static (e, v) => TryAssignProcessParentGroupLeader("process.pid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.start" => static (e, v) => TryAssignProcessParentGroupLeader("process.start")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessStart" => static (e, v) => TryAssignProcessParentGroupLeader("process.start")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.thread.id" => static (e, v) => TryAssignProcessParentGroupLeader("process.thread.id")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessThreadId" => static (e, v) => TryAssignProcessParentGroupLeader("process.thread.id")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.thread.name" => static (e, v) => TryAssignProcessParentGroupLeader("process.thread.name")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessThreadName" => static (e, v) => TryAssignProcessParentGroupLeader("process.thread.name")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.title" => static (e, v) => TryAssignProcessParentGroupLeader("process.title")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessTitle" => static (e, v) => TryAssignProcessParentGroupLeader("process.title")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.uptime" => static (e, v) => TryAssignProcessParentGroupLeader("process.uptime")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessUptime" => static (e, v) => TryAssignProcessParentGroupLeader("process.uptime")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.vpid" => static (e, v) => TryAssignProcessParentGroupLeader("process.vpid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessVpid" => static (e, v) => TryAssignProcessParentGroupLeader("process.vpid")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "parent.group_leader.process.working_directory" => static (e, v) => TryAssignProcessParentGroupLeader("process.working_directory")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - "ParentGroupLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessParentGroupLeader("process.working_directory")(e.GroupLeader ?? new ProcessParentGroupLeader(),v), - _ => null - }; - return assign; - } - public static bool TrySetProcessParent(IProcessParent document, string path, object value) - { - var assign = TryAssignProcessParent(path); - if (assign == null) return false; - - var entity = document.Parent ?? new ProcessParent(); - var assigned = assign(entity, value); - if (assigned) document.Parent = entity; - return assigned; - } - - public static Func TryAssignProcessEntryLeader(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "entry_leader.parent.process.args_count" => static (e, v) => TryAssignProcessEntryLeaderParent("process.args_count")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeaderParent("process.args_count")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.command_line" => static (e, v) => TryAssignProcessEntryLeaderParent("process.command_line")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeaderParent("process.command_line")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.end" => static (e, v) => TryAssignProcessEntryLeaderParent("process.end")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessEnd" => static (e, v) => TryAssignProcessEntryLeaderParent("process.end")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.entity_id" => static (e, v) => TryAssignProcessEntryLeaderParent("process.entity_id")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessEntityId" => static (e, v) => TryAssignProcessEntryLeaderParent("process.entity_id")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.executable" => static (e, v) => TryAssignProcessEntryLeaderParent("process.executable")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessExecutable" => static (e, v) => TryAssignProcessEntryLeaderParent("process.executable")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.exit_code" => static (e, v) => TryAssignProcessEntryLeaderParent("process.exit_code")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessExitCode" => static (e, v) => TryAssignProcessEntryLeaderParent("process.exit_code")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.interactive" => static (e, v) => TryAssignProcessEntryLeaderParent("process.interactive")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessInteractive" => static (e, v) => TryAssignProcessEntryLeaderParent("process.interactive")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.name" => static (e, v) => TryAssignProcessEntryLeaderParent("process.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessName" => static (e, v) => TryAssignProcessEntryLeaderParent("process.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.pgid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.pgid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessPgid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.pgid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.pid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.pid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessPid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.pid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.start" => static (e, v) => TryAssignProcessEntryLeaderParent("process.start")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessStart" => static (e, v) => TryAssignProcessEntryLeaderParent("process.start")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.thread.id" => static (e, v) => TryAssignProcessEntryLeaderParent("process.thread.id")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessThreadId" => static (e, v) => TryAssignProcessEntryLeaderParent("process.thread.id")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.thread.name" => static (e, v) => TryAssignProcessEntryLeaderParent("process.thread.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessThreadName" => static (e, v) => TryAssignProcessEntryLeaderParent("process.thread.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.title" => static (e, v) => TryAssignProcessEntryLeaderParent("process.title")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessTitle" => static (e, v) => TryAssignProcessEntryLeaderParent("process.title")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.uptime" => static (e, v) => TryAssignProcessEntryLeaderParent("process.uptime")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessUptime" => static (e, v) => TryAssignProcessEntryLeaderParent("process.uptime")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.vpid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.vpid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessVpid" => static (e, v) => TryAssignProcessEntryLeaderParent("process.vpid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "entry_leader.parent.process.working_directory" => static (e, v) => TryAssignProcessEntryLeaderParent("process.working_directory")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "EntryLeaderParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeaderParent("process.working_directory")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.args_count")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.args_count")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.command_line")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.command_line")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.end")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.end")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.entity_id")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.entity_id")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.executable")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.executable")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.exit_code")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.exit_code")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.interactive")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.interactive")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.pgid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.pgid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.pid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.pid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.start")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.start")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.thread.id")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.thread.id")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.thread.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.thread.name")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.title")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.title")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.uptime")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.uptime")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.vpid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.vpid")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "process.parent.entry_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.working_directory")(e.Parent ?? new ProcessEntryLeaderParent(),v), - "ProcessParentEntryLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeaderParent("entry_leader.parent.session_leader.process.working_directory")(e.Parent ?? new ProcessEntryLeaderParent(),v), - _ => null - }; - return assign; - } - public static bool TrySetProcessEntryLeader(IProcessEntryLeader document, string path, object value) - { - var assign = TryAssignProcessEntryLeader(path); - if (assign == null) return false; - - var entity = document.EntryLeader ?? new ProcessEntryLeader(); - var assigned = assign(entity, value); - if (assigned) document.EntryLeader = entity; - return assigned; - } - - public static Func TryAssignProcessSessionLeader(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "session_leader.parent.process.args_count" => static (e, v) => TryAssignProcessSessionLeaderParent("process.args_count")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeaderParent("process.args_count")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.command_line" => static (e, v) => TryAssignProcessSessionLeaderParent("process.command_line")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeaderParent("process.command_line")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.end" => static (e, v) => TryAssignProcessSessionLeaderParent("process.end")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessEnd" => static (e, v) => TryAssignProcessSessionLeaderParent("process.end")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.entity_id" => static (e, v) => TryAssignProcessSessionLeaderParent("process.entity_id")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessEntityId" => static (e, v) => TryAssignProcessSessionLeaderParent("process.entity_id")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.executable" => static (e, v) => TryAssignProcessSessionLeaderParent("process.executable")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessExecutable" => static (e, v) => TryAssignProcessSessionLeaderParent("process.executable")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.exit_code" => static (e, v) => TryAssignProcessSessionLeaderParent("process.exit_code")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessExitCode" => static (e, v) => TryAssignProcessSessionLeaderParent("process.exit_code")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.interactive" => static (e, v) => TryAssignProcessSessionLeaderParent("process.interactive")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessInteractive" => static (e, v) => TryAssignProcessSessionLeaderParent("process.interactive")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.name" => static (e, v) => TryAssignProcessSessionLeaderParent("process.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessName" => static (e, v) => TryAssignProcessSessionLeaderParent("process.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.pgid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.pgid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessPgid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.pgid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.pid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.pid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessPid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.pid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.start" => static (e, v) => TryAssignProcessSessionLeaderParent("process.start")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessStart" => static (e, v) => TryAssignProcessSessionLeaderParent("process.start")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.thread.id" => static (e, v) => TryAssignProcessSessionLeaderParent("process.thread.id")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessThreadId" => static (e, v) => TryAssignProcessSessionLeaderParent("process.thread.id")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.thread.name" => static (e, v) => TryAssignProcessSessionLeaderParent("process.thread.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessThreadName" => static (e, v) => TryAssignProcessSessionLeaderParent("process.thread.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.title" => static (e, v) => TryAssignProcessSessionLeaderParent("process.title")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessTitle" => static (e, v) => TryAssignProcessSessionLeaderParent("process.title")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.uptime" => static (e, v) => TryAssignProcessSessionLeaderParent("process.uptime")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessUptime" => static (e, v) => TryAssignProcessSessionLeaderParent("process.uptime")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.vpid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.vpid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessVpid" => static (e, v) => TryAssignProcessSessionLeaderParent("process.vpid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "session_leader.parent.process.working_directory" => static (e, v) => TryAssignProcessSessionLeaderParent("process.working_directory")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "SessionLeaderParentProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeaderParent("process.working_directory")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.args_count")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.args_count")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.command_line")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.command_line")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.end")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.end")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.entity_id")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.entity_id")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.executable")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.executable")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.exit_code")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.exit_code")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.interactive")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.interactive")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.pgid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.pgid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.pid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.pid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.start")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.start")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.thread.id")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.thread.id")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.thread.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.thread.name")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.title")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.title")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.uptime")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.uptime")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.vpid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.vpid")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "process.parent.session_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.working_directory")(e.Parent ?? new ProcessSessionLeaderParent(),v), - "ProcessParentSessionLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeaderParent("session_leader.parent.session_leader.process.working_directory")(e.Parent ?? new ProcessSessionLeaderParent(),v), - _ => null - }; - return assign; - } - public static bool TrySetProcessSessionLeader(IProcessSessionLeader document, string path, object value) - { - var assign = TryAssignProcessSessionLeader(path); - if (assign == null) return false; - - var entity = document.SessionLeader ?? new ProcessSessionLeader(); - var assigned = assign(entity, value); - if (assigned) document.SessionLeader = entity; - return assigned; - } - - public static Func TryAssignProcessGroupLeader(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - _ => null - }; - return assign; - } - public static bool TrySetProcessGroupLeader(IProcessGroupLeader document, string path, object value) - { - var assign = TryAssignProcessGroupLeader(path); - if (assign == null) return false; - - var entity = document.GroupLeader ?? new ProcessGroupLeader(); - var assigned = assign(entity, value); - if (assigned) document.GroupLeader = entity; - return assigned; - } - - public static Func TryAssignProcessParentGroupLeader(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - _ => null - }; - return assign; - } - public static bool TrySetProcessParentGroupLeader(IProcessParentGroupLeader document, string path, object value) - { - var assign = TryAssignProcessParentGroupLeader(path); - if (assign == null) return false; - - var entity = document.GroupLeader ?? new ProcessParentGroupLeader(); - var assigned = assign(entity, value); - if (assigned) document.GroupLeader = entity; - return assigned; - } - - public static Func TryAssignProcessEntryLeaderParent(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "entry_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.args_count")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.args_count")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.command_line")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.command_line")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.end")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.end")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.entity_id")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.entity_id")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.executable")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.executable")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.exit_code")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.exit_code")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.interactive")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.interactive")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.name")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.name")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.pgid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.pgid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.pid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.pid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.start")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.start")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.thread.id")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.thread.id")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.thread.name")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.thread.name")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.title")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.title")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.uptime")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.uptime")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.vpid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.vpid")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "entry_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.working_directory")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - "EntryLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessEntryLeaderParentSessionLeader("process.working_directory")(e.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(),v), - _ => null - }; - return assign; - } - public static bool TrySetProcessEntryLeaderParent(IProcessEntryLeaderParent document, string path, object value) - { - var assign = TryAssignProcessEntryLeaderParent(path); - if (assign == null) return false; - - var entity = document.Parent ?? new ProcessEntryLeaderParent(); - var assigned = assign(entity, value); - if (assigned) document.Parent = entity; - return assigned; - } - - public static Func TryAssignProcessSessionLeaderParent(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "session_leader.parent.session_leader.process.args_count" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.args_count")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessArgsCount" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.args_count")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.command_line" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.command_line")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessCommandLine" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.command_line")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.end" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.end")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessEnd" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.end")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.entity_id" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.entity_id")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessEntityId" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.entity_id")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.executable" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.executable")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessExecutable" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.executable")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.exit_code" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.exit_code")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessExitCode" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.exit_code")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.interactive" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.interactive")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessInteractive" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.interactive")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.name" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.name")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessName" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.name")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.pgid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.pgid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessPgid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.pgid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.pid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.pid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessPid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.pid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.start" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.start")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessStart" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.start")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.thread.id" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.thread.id")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessThreadId" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.thread.id")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.thread.name" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.thread.name")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessThreadName" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.thread.name")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.title" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.title")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessTitle" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.title")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.uptime" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.uptime")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessUptime" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.uptime")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.vpid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.vpid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessVpid" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.vpid")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "session_leader.parent.session_leader.process.working_directory" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.working_directory")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - "SessionLeaderParentSessionLeaderProcessWorkingDirectory" => static (e, v) => TryAssignProcessSessionLeaderParentSessionLeader("process.working_directory")(e.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(),v), - _ => null - }; - return assign; - } - public static bool TrySetProcessSessionLeaderParent(IProcessSessionLeaderParent document, string path, object value) - { - var assign = TryAssignProcessSessionLeaderParent(path); - if (assign == null) return false; - - var entity = document.Parent ?? new ProcessSessionLeaderParent(); - var assigned = assign(entity, value); - if (assigned) document.Parent = entity; - return assigned; - } - - public static Func TryAssignProcessEntryLeaderParentSessionLeader(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - _ => null - }; - return assign; - } - public static bool TrySetProcessEntryLeaderParentSessionLeader(IProcessEntryLeaderParentSessionLeader document, string path, object value) - { - var assign = TryAssignProcessEntryLeaderParentSessionLeader(path); - if (assign == null) return false; - - var entity = document.SessionLeader ?? new ProcessEntryLeaderParentSessionLeader(); - var assigned = assign(entity, value); - if (assigned) document.SessionLeader = entity; - return assigned; - } - - public static Func TryAssignProcessSessionLeaderParentSessionLeader(string path) - { - Func assign = path switch - { - "process.args_count" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "ProcessArgsCount" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ArgsCount = p), - "process.command_line" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "ProcessCommandLine" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CommandLine = p), - "process.end" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "ProcessEnd" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.End = p), - "process.entity_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "ProcessEntityId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EntityId = p), - "process.executable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "ProcessExecutable" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Executable = p), - "process.exit_code" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "ProcessExitCode" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ExitCode = p), - "process.interactive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "ProcessInteractive" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Interactive = p), - "process.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ProcessName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "process.pgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "ProcessPgid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pgid = p), - "process.pid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "ProcessPid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Pid = p), - "process.start" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "ProcessStart" => static (e, v) => TrySetDateTimeOffset(e, v, static (ee, p) => ee.Start = p), - "process.thread.id" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "ProcessThreadId" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.ThreadId = p), - "process.thread.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "ProcessThreadName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ThreadName = p), - "process.title" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "ProcessTitle" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Title = p), - "process.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "ProcessUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), - "process.vpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), - "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), - _ => null - }; - return assign; - } - public static bool TrySetProcessSessionLeaderParentSessionLeader(IProcessSessionLeaderParentSessionLeader document, string path, object value) - { - var assign = TryAssignProcessSessionLeaderParentSessionLeader(path); - if (assign == null) return false; - - var entity = document.SessionLeader ?? new ProcessSessionLeaderParentSessionLeader(); - var assigned = assign(entity, value); - if (assigned) document.SessionLeader = entity; - return assigned; - } - - public static Func TryAssignServiceOrigin(string path) - { - Func assign = path switch - { - "service.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "ServiceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "service.environment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), - "ServiceEnvironment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), - "service.ephemeral_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), - "ServiceEphemeralId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), - "service.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "ServiceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "service.node.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), - "ServiceNodeName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), - "service.node.role" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), - "ServiceNodeRole" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), - "service.state" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), - "ServiceState" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), - "service.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - _ => null - }; - return assign; - } - public static bool TrySetServiceOrigin(IServiceOrigin document, string path, object value) - { - var assign = TryAssignServiceOrigin(path); - if (assign == null) return false; - - var entity = document.Origin ?? new ServiceOrigin(); - var assigned = assign(entity, value); - if (assigned) document.Origin = entity; - return assigned; - } - - public static Func TryAssignServiceTarget(string path) - { - Func assign = path switch - { - "service.address" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "ServiceAddress" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Address = p), - "service.environment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), - "ServiceEnvironment" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Environment = p), - "service.ephemeral_id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), - "ServiceEphemeralId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.EphemeralId = p), - "service.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "ServiceId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "service.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "ServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "service.node.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), - "ServiceNodeName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeName = p), - "service.node.role" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), - "ServiceNodeRole" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.NodeRole = p), - "service.state" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), - "ServiceState" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.State = p), - "service.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "ServiceType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), - "service.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), - _ => null - }; - return assign; - } - public static bool TrySetServiceTarget(IServiceTarget document, string path, object value) - { - var assign = TryAssignServiceTarget(path); - if (assign == null) return false; - - var entity = document.Target ?? new ServiceTarget(); - var assigned = assign(entity, value); - if (assigned) document.Target = entity; - return assigned; - } - - public static Func TryAssignUserTarget(string path) - { - Func assign = path switch - { - "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - return assign; - } - public static bool TrySetUserTarget(IUserTarget document, string path, object value) - { - var assign = TryAssignUserTarget(path); - if (assign == null) return false; - - var entity = document.Target ?? new UserTarget(); - var assigned = assign(entity, value); - if (assigned) document.Target = entity; - return assigned; - } - - public static Func TryAssignUserEffective(string path) - { - Func assign = path switch - { - "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - return assign; - } - public static bool TrySetUserEffective(IUserEffective document, string path, object value) - { - var assign = TryAssignUserEffective(path); - if (assign == null) return false; - - var entity = document.Effective ?? new UserEffective(); - var assigned = assign(entity, value); - if (assigned) document.Effective = entity; - return assigned; - } - - public static Func TryAssignUserChanges(string path) - { - Func assign = path switch - { - "user.domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "UserDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Domain = p), - "user.email" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "UserEmail" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Email = p), - "user.full_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "UserFullName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.FullName = p), - "user.hash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "UserHash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Hash = p), - "user.id" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), - "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), - _ => null - }; - return assign; - } - public static bool TrySetUserChanges(IUserChanges document, string path, object value) - { - var assign = TryAssignUserChanges(path); - if (assign == null) return false; - - var entity = document.Changes ?? new UserChanges(); - var assigned = assign(entity, value); - if (assigned) document.Changes = entity; - return assigned; - } } } diff --git a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs index b8365206..b9d233b7 100644 --- a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs +++ b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs @@ -1,3 +1,4 @@ +using System; using System.Linq; using FluentAssertions; using Serilog.Context; @@ -10,10 +11,10 @@ public class GithubIssue402 : LogTestsBase { public GithubIssue402(ITestOutputHelper output) : base(output) { } - [Fact] - public void Reproduce() => TestLogger((logger, getLogEvents) => + private void Setup(string key, T value, Action assert) => TestLogger((logger, getLogEvents) => { - using (LogContext.PushProperty("client.as.number", 1)) + LogTemplateProperties.All.Should().Contain(key); + using (LogContext.PushProperty(key, value)) logger.Information("Logging something with log context"); var logEvents = getLogEvents(); @@ -23,15 +24,42 @@ public void Reproduce() => TestLogger((logger, getLogEvents) => var (_, info) = ecsEvents.First(); info.Message.Should().Be("Logging something with log context"); + assert(info, value); - info.Client.Should().NotBeNull(); - - info.Client.As.Number.Should().Be(1); //info.Labels.Should().NotBeNull().And.ContainKey("client.user.id"); //info.Labels["ShipmentId"].Should().Be("my-shipment-id"); //info.Metadata.Should().NotBeNull().And.ContainKey("ShipmentAmount"); //info.Metadata["ShipmentAmount"].Should().Be(2.3); + }); + + [Fact] + public void CanAssignNestedAs() => Setup("client.as.number", 1, (info, v) => + { + info.Client.Should().NotBeNull(); + info.Client!.As.Should().NotBeNull(); + info.Client!.As!.Number.Should().Be(v); + }); + [Fact] + public void CanAssignDeeplyNestedThreatX509() => Setup("threat.indicator.x509.serial_number", "123", (info, v) => + { + info.Threat.Should().NotBeNull(); + info.Threat!.IndicatorX509.Should().NotBeNull(); + info.Threat!.IndicatorX509!.SerialNumber.Should().Be(v); + }); + + [Fact] + public void CanAssignThreatIndicatorAs() => Setup("threat.indicator.as.number", 123, (info, v) => + { + info.Threat.Should().NotBeNull(); + info.Threat!.IndicatorAs.Should().NotBeNull(); + info.Threat!.IndicatorAs!.Number.Should().Be(v); + }); + + [Fact(Skip = "self referential process parent not (yet) supported")] + public void CanAssignProcesssParent() => Setup("process.parent.executable", "bin", (info, v) => + { + info.Process.Should().NotBeNull(); }); } diff --git a/tools/Elastic.CommonSchema.Generator/Projection/ProjectionTypeExtensions.cs b/tools/Elastic.CommonSchema.Generator/Projection/ProjectionTypeExtensions.cs index 0bf84998..9590c20e 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/ProjectionTypeExtensions.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/ProjectionTypeExtensions.cs @@ -37,6 +37,7 @@ public static string GetCastFromObject(this Field field) case FieldType.Wildcard: case FieldType.Text: case FieldType.Ip: + case FieldType.GeoPoint: return "TrySetString"; case FieldType.Boolean: return "TrySetBool"; diff --git a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs index bc588afb..0c4e412b 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs @@ -1,31 +1,28 @@ +using System; using System.Linq; using System.Text.RegularExpressions; using Elastic.CommonSchema.Generator.Schema.DTO; -using YamlDotNet.Core.Tokens; namespace Elastic.CommonSchema.Generator.Projection { - public abstract class PropertyReference + public abstract class PropertyReference(Field field, string localPath, string fullPath) { - protected PropertyReference(string localPath, string fullPath) - { - LocalPath = localPath; - FullPath = fullPath; - } - + protected string LocalPath { get; } = localPath; + public string FullPath { get; } = fullPath; + public string LogTemplateAlternative => FullPath.PascalCase(); public string JsonProperty => FullPath.GetLocalProperty(LocalPath); public string Name => JsonProperty.PascalCase(); + public virtual bool IsArray { get; } = field?.Normalize.Contains("array") ?? false; + public virtual string Description { get; } = GetFieldDescription(field); + public virtual string Example { get; } = NormalizeDescription(field?.Example?.ToString() ?? string.Empty); + public virtual string ClrType { get; } = field?.GetClrType(); - private string LocalPath { get; } - public string FullPath { get; } - public string LogTemplateAlternative => FullPath.PascalCase(); - - public abstract string Description { get; } - public abstract string Example { get; } + public virtual bool IsAssignable => !IsArray && !string.IsNullOrWhiteSpace(ClrType); protected static string NormalizeDescription(string description) { + if (description == null) return string.Empty; var multiLineDescription = Regex.Replace(description, @"\n", "\r\n /// "); multiLineDescription = multiLineDescription.Replace("<", "<").Replace(">", ">"); multiLineDescription = multiLineDescription.Replace("ATT&CK", "ATT&CK"); @@ -39,8 +36,9 @@ protected static string NormalizeDescription(string description) /// /// /// - protected static string GetFieldDescription(Field field) + private static string GetFieldDescription(Field field) { + if (field == null) return string.Empty; var multiLineDescription = NormalizeDescription(field.Description); var description = $@"{multiLineDescription}"; @@ -75,85 +73,75 @@ protected static string GetFieldDescription(Field field) } return description; } + } - public class ValueTypePropertyReference : PropertyReference + public class NestedValueTypePropertyReference : ValueTypePropertyReference { - public ValueTypePropertyReference(string parentPath, string fullPath, Field field) : base(parentPath, fullPath) + internal NestedValueTypePropertyReference(Field field, string parentPath, string fullPath, EntityPropertyReference property) + : base(field, parentPath, fullPath) { - ParentPath = parentPath; - Field = field; - ClrType = field.GetClrType(); - ReadJsonType = ClrType.PascalCase(); - CastFromObject = field.GetCastFromObject(); - Description = GetFieldDescription(field); - Example = NormalizeDescription(field.Example?.ToString() ?? string.Empty); - } - - internal ValueTypePropertyReference(string parentPath, string fullPath, Field field, EntityPropertyReference property) - : this(parentPath, fullPath,field) - { - OriginalFullPath = fullPath; - IsEntityDispatch = true; - CastFromObject = $"TryAssign{property.Entity.Name}"; - + Entity = property.Entity; ContainerPath = property.Name; ContainerPathEntity = property.Entity.Name; - //if (property.Name.Contains(".")) - //CastFromObject = $"TrySet{property.Name}"; } - public bool IsEntityDispatch { get; } - public string OriginalFullPath { get; } + public EntityClass Entity { get; } + public string ContainerPath { get; } public string ContainerPathEntity { get; } - internal string ParentPath { get; } - internal Field Field { get; } + } - public string CastFromObject { get; } + public class ValueTypePropertyReference + : PropertyReference + { + public ValueTypePropertyReference(Field field, string parentPath, string fullPath) : base(field, parentPath, fullPath) + { + Field = field; + ReadJsonType = field.GetClrType().PascalCase(); + } + + public ValueTypePropertyReference(ValueTypePropertyReference self, string localPath, string fullPath) + : base(self.Field, localPath, fullPath) + { + Field = self.Field; + ReadJsonType = self.ReadJsonType; + SelfReferential = true; + + } + + public Field Field { get; } public string ReadJsonType { get; } - public string ClrType { get; } - public override string Description { get; } - public override string Example { get; } + public bool SelfReferential { get; } + + public override bool IsAssignable => base.IsAssignable && !SelfReferential; + // creates deeply nested entity value type property references with updated paths public ValueTypePropertyReference CreateSettableTypePropertyReference(EntityPropertyReference property) { - var tokens = property.FullPath.Split(['.']).Where(t => !FullPath.StartsWith($"{t}.")).ToArray(); - var prefix = string.Join('.', tokens); - var newPath = $"{prefix}.{FullPath}"; - - return new ValueTypePropertyReference(prefix, newPath, Field, property); - /* - if (FullPath.StartsWith(property.JsonProperty)) - return new ValueTypePropertyReference(ParentPath, "", FullPath, Field, property); - - var tokens = property.JsonProperty.Split(['.']).Where(t => !FullPath.StartsWith($"{t}.")).ToArray(); - return new ValueTypePropertyReference(ParentPath, prefix, FullPath, Field, property); - */ + var propertyKey = property.FullPath.Split('.').First(); + var pre = string.Join('.', property.FullPath.Split('.')[1..]); + var post = string.Join('.', FullPath.Split('.')[1..]); + var entityKey = string.Join('.', property.FullPath.Split('.')[..^1]); + var fullPath = $"{propertyKey}.{pre}.{post}"; + + return new NestedValueTypePropertyReference(Field, entityKey, fullPath, property); } } - public class InlineObjectPropertyReference : PropertyReference + public class InlineObjectPropertyReference(Field field, string parentPath, string fullPath, InlineObject inlineObject) + : PropertyReference(field, parentPath, fullPath) { - public InlineObjectPropertyReference(string parentPath, string fullPath, InlineObject inlineObject, Field field) : base(parentPath, fullPath) - { - InlineObject = inlineObject; - Field = field; - Description = GetFieldDescription(field); - Example = NormalizeDescription(field.Example?.ToString() ?? string.Empty); - } + public InlineObject InlineObject { get; } = inlineObject; + public Field Field { get; } = field; - public InlineObject InlineObject { get; } - public Field Field { get; } - - public string ClrType => Field.Normalize.Contains("array") ? $"{InlineObject.Name}[]" : $"{InlineObject.Name}"; - public override string Description { get; } - public override string Example { get; } + public override string ClrType => IsArray ? $"{InlineObject.Name}[]" : $"{InlineObject.Name}"; } public class EntityPropertyReference : PropertyReference { - public EntityPropertyReference(string parentPath, string fullPath, EntityClass entity, string description, bool isArray) : base(parentPath, fullPath) + public EntityPropertyReference(string parentPath, string fullPath, EntityClass entity, string description, bool isArray) + : base(null, parentPath, fullPath) { var multiLineDescription = NormalizeDescription(description); Entity = entity; @@ -161,13 +149,15 @@ public EntityPropertyReference(string parentPath, string fullPath, EntityClass e Example = ""; ClrType = Entity.Name; IsArray = isArray; - if (isArray) ClrType += "[]"; + if (isArray) ClrType = $"{Entity.Name}[]"; } public EntityClass Entity { get; } - public bool IsArray { get; } - public string ClrType { get; } + public override bool IsAssignable => base.IsAssignable && Entity is not SelfReferentialReusedEntityClass; + + public override string ClrType { get; } + public override bool IsArray { get; } public override string Description { get; } public override string Example { get; } } diff --git a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs index c612449a..ca17680b 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs @@ -130,9 +130,7 @@ public CommonSchemaTypesProjection CreateProjection() //.DistinctBy(g=>g.Name) .ToList(); foreach (var entity in entities) - { entity.AssignableInterfaces = assignables.Where(a => a.Entities.Contains(entity)).DistinctBy(a=>a.Name).ToList(); - } Projection = new CommonSchemaTypesProjection { @@ -165,6 +163,8 @@ public CommonSchemaTypesProjection CreateProjection() var found = assignable.TryGetValue(name, out var a); if (found && a.Property.IsArray) continue; + if (entity is SelfReferentialReusedEntityClass) + continue; propDispatches.Add(new PropDispatch(entity, a)); } Projection.AssignablePropDispatches = propDispatches; @@ -278,10 +278,10 @@ private void ExtractValueTypesAndInlineObjectDefinitions() currentPropertyReferences[fullPath] = currentPropertyReferences.TryGetValue(fullPath, out var p) ? p - : new InlineObjectPropertyReference(parentPath, fullPath, InlineObjects[fullPath], field); + : new InlineObjectPropertyReference(field, parentPath, fullPath, InlineObjects[fullPath]); } else - currentPropertyReferences[fullPath] = new ValueTypePropertyReference(parentPath, fullPath, field); + currentPropertyReferences[fullPath] = new ValueTypePropertyReference(field, parentPath, fullPath); } else { @@ -307,13 +307,13 @@ private void ExtractValueTypesAndInlineObjectDefinitions() currentPropertyReferences[path] = currentPropertyReferences.TryGetValue(path, out var p) ? p - : new InlineObjectPropertyReference(parentPath, path, InlineObjects[path], field); + : new InlineObjectPropertyReference(field, parentPath, path, InlineObjects[path]); currentPropertyReferences = InlineObjects[path].Properties; parentPath = path; foundInlineObjectPath = true; } if (!foundInlineObjectPath) parentPath = name; - currentPropertyReferences[fullPath] = new ValueTypePropertyReference(parentPath, fullPath, field); + currentPropertyReferences[fullPath] = new ValueTypePropertyReference(field, parentPath, fullPath); } } } diff --git a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs index 939eae41..f3a1a2e5 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs @@ -1,6 +1,7 @@ using System; using System.Collections.Generic; using System.Linq; +using System.Text.RegularExpressions; using Elastic.CommonSchema.Generator.Schema.DTO; namespace Elastic.CommonSchema.Generator.Projection @@ -18,8 +19,6 @@ public class FieldSetBaseClass(FieldSet fieldSet) public IEnumerable InlineObjectProperties => Properties.Values.OfType(); - public IEnumerable SettableProperties => ValueProperties.Where(p => !string.IsNullOrEmpty(p.CastFromObject)); - } public class InlineObject(string name, Field field) @@ -40,11 +39,32 @@ public class InlineObject(string name, Field field) } public class SelfReferentialReusedEntityClass - (string name, FieldSetBaseClass baseFieldSet, string reuseDescription, bool isArray) - : EntityClass(name, baseFieldSet) + : EntityClass { - public string ReuseDescription { get; } = reuseDescription; - public bool IsArray { get; } = isArray; + public SelfReferentialReusedEntityClass(string name, FieldSetBaseClass baseFieldSet, string reuseDescription, bool isArray) + : base(name, baseFieldSet) + { + ReuseDescription = reuseDescription; + IsArray = isArray; + + Find = baseFieldSet.FieldSet.Name; + Replace = name; + } + + public string Replace { get; set; } + public string Find { get; set; } + public string ReuseDescription { get; } + public bool IsArray { get; } + + protected override IEnumerable OwnProperties => + BaseFieldSet.ValueProperties.Where(p => p.IsAssignable) + .Select(v=> + { + var localPath = Replace; + var fullPath = Regex.Replace(v.FullPath, $@"^{Find}\.", $"{Replace}."); + + return new ValueTypePropertyReference(v, localPath, fullPath); + }); } @@ -67,10 +87,27 @@ public EntityClass(string name, FieldSetBaseClass baseFieldSet) public IEnumerable EntityProperties => EntityReferences.Values; - public IEnumerable SettableProperties => - BaseFieldSet.ValueProperties.Where(p => !string.IsNullOrEmpty(p.CastFromObject)) - .Concat(EntityProperties.SelectMany(e=>e.Entity.SettableProperties.Select(s=>s.CreateSettableTypePropertyReference(e)))) - .DistinctBy(e=>e.Name); + protected virtual IEnumerable OwnProperties => + BaseFieldSet.ValueProperties.Where(p => p.IsAssignable); + + public IEnumerable SettableProperties + { + get + { + if (Name is "EcsDocument") + return OwnProperties; + return OwnProperties + .Concat(EntityProperties + .Where(p => p.IsAssignable) + .SelectMany(e => e.Entity.SettableProperties + .Select(s => s.CreateSettableTypePropertyReference(e)) + ) + ) + .DistinctBy(e => e.Name); + } + } + + public IList DispatchProperties => SettableProperties.Select(s=> new DispatchProperty(s)).ToList(); //provided later @@ -86,19 +123,52 @@ public string AssignableInterfacesAsString } } + /// + /// Represents an interface for entities that can set a particular nested property. + /// E.g. both EcsDocument and Client have an `As` property of type `As`. + /// + public class AssignableEntityInterface(string name, EntityPropertyReference property, List entities) + { + public EntityPropertyReference Property { get; } = property; + public List Entities { get; } = entities; + public string Name { get; } = $"I{name}"; + } + - public class AssignableEntityInterface + public class DispatchProperty { - public AssignableEntityInterface(string name, EntityPropertyReference property, List entities) - { - Name = $"I{name}"; - Property = property; - Entities = entities; - } + public bool IsEntityDispatch { get; } + public string FullPath { get; } + public string LogTemplateAlternative { get; } + public string CastFromObject { get; } + public string ContainerPath { get; } = string.Empty; + public string ContainerPathEntity { get; } = string.Empty; - public EntityPropertyReference Property { get; } - public List Entities { get; } public string Name { get; } + public string JsonProperty { get; } + public bool SelfReferential { get; } + + public DispatchProperty(PropertyReference property) + { + JsonProperty = property.JsonProperty; + FullPath = property.FullPath; + LogTemplateAlternative = property.LogTemplateAlternative; + Name = property.Name; + switch (property) + { + case NestedValueTypePropertyReference nested: + IsEntityDispatch = true; + CastFromObject = $"TryAssign{nested.Entity.Name}"; + ContainerPath = nested.ContainerPath; + ContainerPathEntity = nested.ContainerPathEntity; + SelfReferential = nested.SelfReferential; + break; + case ValueTypePropertyReference value: + CastFromObject = value.Field.GetCastFromObject(); + SelfReferential = value.SelfReferential; + break; + } + } } public class PropDispatch @@ -109,6 +179,7 @@ public class PropDispatch public EntityClass Entity { get; } public string AssignParameter { get; } public string AssignEntity { get; set; } + public List AssignableProperties { get; set; } public PropDispatch(EntityClass entity, AssignableEntityInterface assignable) { @@ -118,15 +189,13 @@ public PropDispatch(EntityClass entity, AssignableEntityInterface assignable) AssignEntity = entity.Name; Entity = entity; AssignTarget = entity.Name; - SettableProperties = Entity.SettableProperties.ToList(); + AssignableProperties = Entity.SettableProperties.Select(e => new DispatchProperty(e)).ToList(); AssignParameter = "EcsDocument"; - if (assignable is { } a) + if (assignable is not null) { AssignParameter = $"I{Name}"; AssignTarget = assignable.Property.Name; } } - - public List SettableProperties { get; set; } } } diff --git a/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml index 428159e1..8f49fc32 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml @@ -29,7 +29,7 @@ namespace Elastic.CommonSchema ///All properties that supports public static class LogTemplateProperties { -@foreach (var prop in Model.Base.BaseFieldSet.SettableProperties) +@foreach (var prop in Model.Base.SettableProperties) { /// /// @prop.FullPath @@ -57,7 +57,7 @@ namespace Elastic.CommonSchema ///All properties that supports public static readonly HashSet@(Raw("")) All = new() { -@foreach (var prop in Model.Base.BaseFieldSet.SettableProperties) +@foreach (var prop in Model.Base.SettableProperties) { "@prop.FullPath", @prop.LogTemplateAlternative, diff --git a/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml index 61aae36f..64a2aa4b 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml @@ -106,7 +106,7 @@ namespace Elastic.CommonSchema { switch (path) { - @foreach (var prop in Model.Base.BaseFieldSet.SettableProperties) + @foreach (var prop in Model.Base.SettableProperties) { case "@prop.FullPath": case "@prop.LogTemplateAlternative": @@ -115,7 +115,7 @@ namespace Elastic.CommonSchema return TrySet@(@Model.Base.Name)(document, path, value); @foreach (var entity in Model.EntityClasses) { - if (!entity.BaseFieldSet.SettableProperties.Any()) + if (!entity.SettableProperties.Any()) { continue; } @@ -137,7 +137,7 @@ namespace Elastic.CommonSchema { Func@(Raw("<"))@(Model.Base.Name), object, bool@(Raw(">")) assign = path switch { - @foreach (var prop in Model.Base.BaseFieldSet.SettableProperties) + @foreach (var prop in Model.Base.DispatchProperties) { "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), @@ -155,7 +155,7 @@ namespace Elastic.CommonSchema { Func@(Raw("<"))@(dispatch.FuncTarget), object, bool@(Raw(">")) assign = path switch { - @foreach (var prop in dispatch.SettableProperties) + @foreach (var prop in dispatch.AssignableProperties) { if (!prop.IsEntityDispatch) { @@ -165,8 +165,8 @@ namespace Elastic.CommonSchema } else { - "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)("@(prop.JsonProperty)")(e.@(prop.ContainerPath) ?? new @(prop.ContainerPathEntity)(),v), - "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)("@(prop.JsonProperty)")(e.@(prop.ContainerPath) ?? new @(prop.ContainerPathEntity)(),v), + "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)("@(prop.JsonProperty)")(e.@(prop.ContainerPath) ??= new @(prop.ContainerPathEntity)(),v), + "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)("@(prop.JsonProperty)")(e.@(prop.ContainerPath) ??= new @(prop.ContainerPathEntity)(),v), } } From 2a18fe330863b34e68f232f36fd370f17b704961 Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Wed, 25 Sep 2024 21:54:45 +0200 Subject: [PATCH 7/8] include client.nat.ip test for completeness sake --- .../Repro/GithubIssue402.cs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs index b9d233b7..38f5d8f4 100644 --- a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs +++ b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs @@ -41,6 +41,13 @@ public void CanAssignNestedAs() => Setup("client.as.number", 1, (info, v) => info.Client!.As!.Number.Should().Be(v); }); + [Fact] + public void CanAssignNestedNatIp() => Setup("client.nat.ip", "ip", (info, v) => + { + info.Client.Should().NotBeNull(); + info.Client!.NatIp.Should().Be(v); + }); + [Fact] public void CanAssignDeeplyNestedThreatX509() => Setup("threat.indicator.x509.serial_number", "123", (info, v) => { From 6371a149f8a4406a99e65c5d72b746b225240d41 Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Wed, 25 Sep 2024 22:10:09 +0200 Subject: [PATCH 8/8] Ensure [JsonSerializable(typeof(LogEntityJsonConverter.*))] does not get generated away --- src/Elastic.CommonSchema/Entities.cs | 1 + .../Serialization/EcsJsonContext.Generated.cs | 2 ++ .../Repro/GithubIssue402.cs | 9 +++++++++ .../Views/EcsJsonContext.Generated.cshtml | 2 ++ 4 files changed, 14 insertions(+) diff --git a/src/Elastic.CommonSchema/Entities.cs b/src/Elastic.CommonSchema/Entities.cs index edf28bc3..36b46ee0 100644 --- a/src/Elastic.CommonSchema/Entities.cs +++ b/src/Elastic.CommonSchema/Entities.cs @@ -11,3 +11,4 @@ namespace Elastic.CommonSchema; public partial class Log { } [JsonConverter(typeof(EcsEntityJsonConverter))] public partial class Ecs { } + diff --git a/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs b/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs index 8629bf80..dfce92a7 100644 --- a/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs +++ b/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs @@ -63,5 +63,7 @@ namespace Elastic.CommonSchema.Serialization; [JsonSerializable(typeof(Vlan))] [JsonSerializable(typeof(Vulnerability))] [JsonSerializable(typeof(X509))] +[JsonSerializable(typeof(LogEntityJsonConverter.LogOriginInvalid))] +[JsonSerializable(typeof(LogEntityJsonConverter.LogFileOriginInvalid))] [JsonSourceGenerationOptions(DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull)] internal partial class EcsJsonContext : JsonSerializerContext { } \ No newline at end of file diff --git a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs index 38f5d8f4..08270f47 100644 --- a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs +++ b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs @@ -54,6 +54,15 @@ public void CanAssignDeeplyNestedThreatX509() => Setup("threat.indicator.x509.se info.Threat.Should().NotBeNull(); info.Threat!.IndicatorX509.Should().NotBeNull(); info.Threat!.IndicatorX509!.SerialNumber.Should().Be(v); + //info.Threat.IndicatorFile.Pe.Company + }); + [Fact] + public void CanAssignMultipleEntitiesDeep() => Setup("threat.indicator.file.pe.company", "comp", (info, v) => + { + info.Threat.Should().NotBeNull(); + info.Threat!.IndicatorFile.Should().NotBeNull(); + info.Threat!.IndicatorFile!.Pe.Should().NotBeNull(); + info.Threat.IndicatorFile!.Pe!.Company.Should().Be(v); }); [Fact] diff --git a/tools/Elastic.CommonSchema.Generator/Views/EcsJsonContext.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/EcsJsonContext.Generated.cshtml index 4643e6a5..88363fad 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/EcsJsonContext.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/EcsJsonContext.Generated.cshtml @@ -27,5 +27,7 @@ namespace Elastic.CommonSchema.Serialization; [JsonSerializable(typeof(@entity.Name))] } +[JsonSerializable(typeof(LogEntityJsonConverter.LogOriginInvalid))] +[JsonSerializable(typeof(LogEntityJsonConverter.LogFileOriginInvalid))] [JsonSourceGenerationOptions(DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull)] internal partial class EcsJsonContext : JsonSerializerContext { } \ No newline at end of file