IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Google Santa fields
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Google Santa fields
editSanta Module
santa fields
edit-
santa.action
-
type: keyword
example: EXEC
Action
-
santa.decision
-
type: keyword
example: ALLOW
Decision that santad took.
-
santa.reason
-
type: keyword
example: CERT
Reason for the decsision.
-
santa.mode
-
type: keyword
example: M
Operating mode of Santa.
disk fields
editFields for DISKAPPEAR actions.
-
santa.disk.volume
-
The volume name.
-
santa.disk.bus
-
The disk bus protocol.
-
santa.disk.serial
-
The disk serial number.
-
santa.disk.bsdname
-
example: disk1s3
The disk BSD name.
-
santa.disk.model
-
example: APPLE SSD SM0512L
The disk model.
-
santa.disk.fs
-
example: apfs
The disk volume kind (filesystem type).
-
santa.disk.mount
-
The disk volume path.
-
certificate.common_name
-
type: keyword
Common name from code signing certificate.
-
certificate.sha256
-
type: keyword
SHA256 hash of code signing certificate.
-
hash.sha256
-
type: keyword
Hash of process executable.