Associated Fields
The associated fields are generated automatically by the Illuminate indexing templates. They will not appear in the message view but can be used in searches, event definitions, and aggregations. These fields will contain one or more value(s) that are copied from associated source fields, e.g. associated_ip would contain the values copied from both source_ip and destination_ip in a network event log message. The intent of these fields is to provide a single field that can be searched/analyzed for a value, instead of requiring users to search for all of the possible candidate fields for a given value.
The sources fields are any schema-defined fields that contain data that matches the criteria for the defined association.
| field | field_type | description | example_values |
|---|---|---|---|
|
associated_hash |
keyword |
All associated MD5, SHA1, SHA256, SHA512, IMP hashes from a log message |
6f9efb466e043b9f3635827ce446e13c |
|
associated_host |
keyword |
FUTURE: copy of any identifying host information - IP, Hostname, etc. from a log message, not implmented yet. |
10.1.2.3,corpdc01,corpdc01.corpdomain.local |
|
associated_ip |
ip |
Associated IP addresses for a log message |
10.1.2.3,fe80:5cc3:11:4::2c |
|
associated_mac |
keyword |
Associated MAC address for a log message |
a0:b4:44:01:a9:d1 |
|
associated_session_id |
keyword |
Associated session IDs for a log message |
0xa72c |
|
associated_user_id |
keyword |
This will be a field that maps to all user ID values (uids, SIDs, etc.) that are associated with a user context. |
999,S-1-5-18 |
|
associated_user_name |
keyword/lowercase |
Any associated/alternate User ID from a log message |
administrator,root,administrator@corp.local |
