Search help content

Open XDR Data Format

Breadcrumbs

ESET Online Help > ESET PROTECT > Using ESET PROTECT > ESET PROTECT Main Menu > Advanced Search > Open XDR Data Format

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Open XDR Data Format is based on Elastic Common Schema (ECS), which is the normalized format used for ESET Open XDR. ECS simplifies writing queries and enables correlating data across different data sources. Telemetry events, indicators and incidents are normalized into this schema across products and integrations that are part of the Open XDR Platform.

Open XDR Data is available from computers running ESET Management Agent version 13.0+ and ESET Inspect Connector 3.0+.

Find more about unifying ESET Inspect and ESET PROTECT (Open XDR).

Field Sets

ECS defines multiple groups of related fields, known as Field Sets.

Agent Field Set

Agent fields describe the software component that collects, detects, or observes telemetry events or indicators.

Field Name

Field Mapping

Example

Integrations providing this field

Allowed values

Note

agent.build.original

keyword

13.01115.0

ESET

N/A

Extended build information.

agent.type

keyword

endpoint-security

all

•endpoint-security

•endpoint-detection-response

Type of agent or integration that collected or observed the event.

•endpoint-security—for endpoint protection data (ESET PROTECT)

•endpoint-detection-response—for EDR data (ESET Inspect)

agent.version

keyword

2.8.5555.0

ESET

N/A

Version of the agent.

Base Field Sets

The base field set contains all fields which are at the root of the events. These fields are common across all types of events.

Field Name

Field Mapping

Example

Integrations providing this field

Allowed values

Note

@timestamp

date

2016-05-23T08:05:34.853Z

all

N/A

Date/time when the event originated. Usually taken from the event source. If unavailable, it is set to when the pipeline first received the event.

All timestamp fields are stored in UTC. When displayed they are converted to the time zone set in console user settings.

Cloud Field Set

Designed to capture metadata about resources running in a cloud environment.

Field Name

Field Mapping

Example

Integrations providing this field

Allowed values

Note

cloud.provider

keyword

azure

ESET

•azure

•aws

•gcp

Identifies the cloud service provider where the resource is running.

cloud.instance.id

keyword

/subscriptions/9d7b40e6-e45a-4253-95cf-00150351bc5e/resourceGroups/rg-eic-vms/providers/Microsoft.Compute/virtualMachines/rep-azure-eic

ESET

N/A

Unique identifier for the instance (virtual machine or compute resource) provided by the cloud provider.

Code Signature Field Set

Fields describing the digital signature of a file on disk, an executable that launched a process, or a dynamically loaded library. They indicate whether the file is signed, who signed it, and whether the signature is valid and trusted. Code signature fields are expected to be nested at:

•process.*

•file.*

•dll.*

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
code_signature.exists	boolean	true	ESET	N/A	Indicates whether a digital signature is present. Only populated when data originates from ESET Inspect.
code_signature.signing_id	keyword	com.eset.remoteadministrator.agent	ESET	N/A	Identifier associated with the entity that signed the file. Only populated when data originates from ESET Inspect on macOS devices.
code_signature.status	keyword	trusted	ESET	For ESET, the following values are allowed: •trusted •valid •adhoc •none •invalid •unknown •present	The validation status of the digital signature, indicating whether it is trusted, invalid, or has another state. Only populated when data originates from ESET Inspect. •trusted—signature trusted by ESET. •valid—signature trusted by OS. •adhoc—self-signed (macOS only). •none—no signature. •invalid —signature untrusted by OS, corrupted or revoked. •unknown—unable to determine whether a signature is present. •present—signature is present, but trust could not be verified.
code_signature.subject_name	keyword	"ESET, spol. s r.o."	ESET	N/A	Name of the entity (individual, organization, or publisher) that signed the file, as listed in the digital signature. Only populated when data originates from ESET Inspect.
code_signature.team_id	keyword	P8DQRXPVLP	ESET	N/A	Identifier assigned to the development team that signed the file. Only populated when data originates from ESET Inspect on macOS devices.

Destination Field Set

Fields that describe the target of a network connection or data transfer. This typically includes details about the endpoint receiving the data, such as IP address, port, domain.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
destination.address	keyword	192.168.1.1	ESET	N/A	The raw address of the destination, as provided by the source. This can be an IP address, a domain name, or another network identifier.
destination.ip	ip	192.168.1.1	ESET	N/A	IP address of the destination host or endpoint receiving the network traffic.
destination.mac	keyword	00-11-22-33-44-55	ESET	N/A	MAC address of the destination network interface.
destination.port	long	22	ESET	N/A	Network port number of the destination.

Device Field Set

Fields that describe the hardware device involved in the event. This typically includes attributes such as device identifiers, model, manufacturer, serial number, and other characteristics that help identify the physical device generating or receiving data.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
device.manufacturer	keyword	VMware, Inc.	ESET	N/A	The name of the company or vendor that manufactured the device.
device.model.identifier	keyword	VMware Virtual Platform	ESET	N/A	A unique identifier for the device model, provided by the manufacturer to distinguish between different hardware models.
device.serial_number	keyword	VMware-11 22 33 44 55 66 77 88-99 aa bb bb dd ee ff 00	ESET	N/A	The unique serial number assigned to the device by the manufacturer.

DLL Field Set

Fields describing a dynamically loaded library involved in an event. While the name is Windows-centric, this field set covers multiple platforms:

•Dynamic-link library (.dll) commonly used on Windows

•Shared Object (.so) commonly used on Unix-like operating systems

•Dynamic library (.dylib) commonly used on macOS

Following field sets can be nested under DLL field set:

•dll.code_signature.*

•dll.hash.*

•dll.pe.*

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
dll.name	keyword	scrobj.dll	ESET	N/A	The name of the dynamically loaded library file, without the path.
dll.path	keyword	C:\Windows\syswow64\scrobj.dll	ESET	N/A	The full file system path to the dynamically loaded library.

ECS Field Set

ECS-specific meta information.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
ecs.version	keyword	8.16	all	N/A	ECS version this event conforms to.

Event Field Set

Fields that describe the details of an event or activity captured by a system or application. These fields provide context such as the event’s category, type, action, outcome, and timestamps.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
event.action	keyword	file-cleaned	ESET	For ESET, the following values are allowed: •rule-triggered •connection-terminated •file-blocked •file-deleted •file-cleaned •file-marked-for-deletion •part-of-deleted-object •retained •exploit-blocked •ransomware-blocked	The specific action or operation that triggered the event. Field is provided only if applicable to the specific event.
event.category	keyword array	malware	all	•api •authentication •configuration •database •driver •email •file •host •iam •intrusion_detection •library •malware •network •package •process •registry •session •threat •vulnerability •web	High-level classification of the event, used to group similar types of activity. This field helps organize events into broad functional categories for easier filtering and analysis. This field can contain multiple values.
event.created	date	2016-05-23T08:05:34.857Z	ESET	N/A	Represents timestamp when the agent first received or observed the event. The value should be slightly different from @timestamp.
event.dataset	keyword	eset.antivirus	all	•eset.antivirus •eset.firewall •eset.hips •eset.blockedfile •eset.blockedurl •eset.rule	Name of the dataset that the event belongs to. This value is typically used to group related events from the same source or integration.
event.id	keyword	ac42bf19-3ec1-4e92-a9e6-e54ce27a3c9e	all	N/A	Unique ID of the event.
event.ingested	date	2016-05-23T08:05:34.857Z	all	N/A	Represents timestamp when the event arrived to the ESET PROTECT console.
event.kind	keyword	alert	all	For ESET, the following values are allowed: •alert •event	High-level categorization of the information type the event carries. In the context of ESET, value alert corresponds to an indicator, while event refers to a telemetry event.
event.module	keyword	eset	all	For ESET, the following values are allowed: •eset	Identifies the name of the integration that generated the event. This field is used to group events by their source.
event.outcome	keyword	success	all	•failure •success •unknown	Indicates the result of the event or action.
event.provider	keyword	Real-time file system protection	ESET	N/A	Identifies the source or component within the system that generated the event. This is often the name of the application, service, or subsystem responsible for producing the data. In the context of ESET, this value is sometimes referred to as the scanner, indicating which ESET scanning engine or module detected or reported the event.
event.reason	keyword	Test file: Eicar - file:///C:/Users/Administrator/Desktop/eicar.txt	ESET	N/A	Provides a descriptive explanation of why the event occurred. This field contains human-readable text that clarify the cause, trigger, or justification for the event.
event.risk_score	float	40	ESET	N/A	Numeric value representing the estimated risk of the event as provided by the event source.
event.severity	long	2	ESET	N/A	Numeric value representing the severity of the event as provided by the event source.
event.type	keyword array	deletion	all	•access •admin •allowed •change •connection •creation •deletion •denied •device •end •error •group •indicator •info •installation •protocol •start •user	Describes the specific type or action represented by the event within its category. This field provides more granular classification than event.category.

File Field Set

Represents details about a file involved in the event. Following field sets can be nested under file field set:

•file.code_signature.*

•file.hash.*

•file.pe.*

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
file.directory	keyword	C:\Windows\System32	ESET	N/A	The directory path where the file is located, excluding the filename.
file.extension	keyword	dll	ESET	N/A	The file’s extension, excluding the leading dot.
file.name	keyword	rasadhlp.dll	ESET	N/A	The name of the file, including the extension but without the directory path.
file.path	keyword	C:\Windows\System32\rasadhlp.dll	ESET	N/A	The full path to the file, including directories and the filename.
file.type	keyword	file	ESET	•file •directory •symlink	The file’s general type. Indicates the nature of the object in the filesystem.

Hash Field Set

Contains cryptographic hash values that uniquely identify files. Hash fields are expected to be nested at:

•process.hash.*

•file.hash.*

•dll.hash.*

•email.attachments.file.hash.*

•eset.executable.hash.*

•eset.process.loaded_libraries.hash.*

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
hash.md5	keyword	F0B123ABEAEB45AB8837F2372C655B60	ESET	N/A	The MD5 hash of the file or data.
hash.sha1	keyword	DB75962AE7A258C5DFA4F558BD8B7D04F2FED03F	ESET	N/A	The SHA1 hash of the file or data.
hash.sha256	keyword	3C2189DA86FB4F981CB15D4FA74BB5CC0A7096EBAE40274D1C113B2E3291DABC	ESET	N/A	The SHA256 hash of the file or data.

Host Field Set

Represents details about the host (computer, server, or device) where the event originated or was observed. Following field sets can be nested under host field set:

•host.os.*

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
host.architecture	keyword	x86-64	ESET	N/A	CPU architecture of the host.
host.domain	keyword	CONTOSO	ESET	N/A	The domain name of the host, typically representing the Active Directory domain to which the host belongs.
host.hostname	keyword	SRV-02	ESET	N/A	The hostname as reported by the operating system hostname command.
host.id	keyword	59a611f9-a01e-47a6-a839-03b1e4ac3e67	ESET	N/A	Unique identifier for the host.
host.ip	ip array	192.168.1.35	ESET	N/A	IP address(es) assigned to the host.
host.mac	keyword array	00-11-22-33-44-55	ESET	N/A	MAC address(es) of the host’s network interfaces.
host.name	keyword	SRV-02.contoso.local	ESET	N/A	Name of the host.
host.type	keyword	server	ESET	For ESET, the following values are allowed: •workstation •server •mobile	Type of the host.

Network Field Set

Represents details about network activity related to the event. These fields describe the protocol, direction, and identifiers for network traffic.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
network.community_id	keyword	1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0	ESET	N/A	A hash value that uniquely identifies a network flow based on its 5-tuple (source IP, destination IP, source port, destination port, and transport protocol). It provides a consistent way to correlate network sessions across different systems and tools. More information at github.
network.direction	keyword	ingress	ESET	•ingress •egress	Direction of the traffic relative to the host.
network.protocol	keyword	ssh	ESET	N/A	Name of the network protocol used. In OSI model this is equivalent of Application layer.
network.transport	keyword	tcp	ESET	N/A	Underlying transport protocol. In OSI model this is equivalent of Transport layer.
network.type	keyword	ipv4	ESET	N/A	Type of network traffic. In OSI model this is equivalent of Network layer.

Operating System Field Set

Represents details about the operating system running on a host or device. Operating system fields are expected to be nested at:

•host.os.*

Field Name

Field Mapping

Example

Integrations providing this field

Allowed values

Note

os.name

keyword

Multi-field:

os.name.text - match_only_text

Microsoft Windows 10 Pro

ESET

N/A

Human-readable name of the operating system.

os.type

keyword

windows

ESET

For ESET, the following values are allowed:

•windows

•linux

•macos

•ios

•android

General type of the operating system.

os.version

keyword

10.0.19045.6456

ESET

N/A

Version string of the operating system.

PE Field Set

Represents metadata extracted from a Windows Portable Executable (PE) file, such as executables, DLLs, and drivers. PE fields are expected to be nested at:

•dll.pe.*

•file.pe.*

•process.pe.*

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
pe.architecture	keyword	x64	ESET	N/A	Specifies the CPU architecture that the Portable Executable (PE) file was built for.
pe.company	keyword	Google LLC	ESET	N/A	Name of the company that published the executable.
pe.description	keyword	Google Chrome	ESET	N/A	Description of the file’s purpose.
pe.original_file_name	keyword	chrome.exe	ESET	N/A	Name the executable had when it was compiled and signed.
pe.product	keyword	Google Chrome	ESET	N/A	Name of the product the file belongs to.
pe.file_version	keyword	142.0.7444.176	ESET	N/A	Version of the file as specified in its metadata.

Process Field Set

Represents details about a process running on a host that is related to the event. Process fields are expected to be nested at:

•process.parent.*

Following field sets can be nested under process field set:

•process.code_signature.*

•process.hash.*

•process.pe.*

•process.user.*

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
process.args	keyword array	C:\Windows\system32\whoami.exe, /groups, /FO, csv, /NH	ESET	N/A	Array of arguments passed to the process.
process.args_count	long	5	ESET	N/A	Count of the arguments passed to the process.
process.command_line	wildcard Multi-field: process.command_line.text - match_only_text	C:\Windows\system32\whoami.exe /groups /FO csv /NH	ESET	N/A	The full command line used to start the process, including arguments.
process.end	date	2016-05-23T08:05:34.853Z	ESET	N/A	Timestamp when the process ended. If the field is not populated, the process was still running when the event was generated.
process.entity_id	keyword	bff9c549-c059-4f7d-a804-f38b34026738	ESET	N/A	Unique identifier for the process. Implementation depends on the data source.
process.executable	keyword Multi-field: process.executable.text - match_only_text	C:\Windows\system32\whoami.exe	ESET	N/A	Full path to the process executable file.
process.name	keyword	whoami.exe	ESET	N/A	The name of the process executable.
process.pid	long	9988	ESET	N/A	Process ID assigned by the operating system.
process.start	date	2016-05-23T08:05:34.853Z	ESET	N/A	Timestamp when the process started.

Related Field Set

Contains lists of identifiers that are related to the event. These values help with pivoting across different events that may have the same value in different fields e.g. process.hash and process.parent.hash.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
related.hash	keyword array	444E5470860EC480B08DF9B5D9032946B03C7837, BF803E9A7A7F4499C5B4E8B59756905DE8A238C5AED3AD6C93665E047C473E01	ESET	N/A	Array of hashes related to the event.
related.hosts	keyword array	SRV-02.contoso.local	ESET	N/A	Array of hosts related to the event.
related.ip	ip array	192.168.1.86, 10.1.40.125	ESET	N/A	Array of IP addresses related to the event.
related.user	keyword array	S-1-5-18, system	ESET	N/A	Array of user identifiers related to the event.

Rule Field Set

Represents details about an indicator. These fields help identify, categorize, and correlate indicators based on the detection logic that triggered them.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
rule.author	keyword	ESET	ESET	N/A	Author of the detection rule.
rule.name	keyword	Reading Sensitive Files from Shadow Volume [D0331]	all	N/A	Name of the rule. This value should be populated by all indicators.
rule.category	keyword	File System	ESET	N/A	Broad category of the rule.
rule.uuid	keyword	0c464b88-2781-4686-8c7e-163358b3dba4	ESET	N/A	Unique identifier for the rule, within the scope of the the entire system. Assigned by the rule author. In case of ESET Inspect, this is the value used in the <guid> tags in the rule source code.
rule.id	keyword	de7af049-8ddd-4c2c-a054-734368a1082	ESET	N/A	Unique identifier for the rule version, within the scope of the host. Often assigned by the detection engine.
rule.description	keyword	Adversary tries to access the filesystem backups present in shadow volumes and extract sensitive data. These include SAM registry hives or the NTDS.dit Active Directory database in order to extract credentials from them later. Administrator rights are usually necessary to access these files with exception of CVE-2021-36934 (Hivenightmare)	ESET	N/A	Provides a human-readable explanation of what the rule detects or its intended purpose. This field helps analysts to understand the logic or context behind the alert without reviewing the full rule definition. In case of ESET Inspect this is the contents of the <explanation> tags in the rule source code.

Source Field Set

Fields that describe the source of a network connection or data transfer. This typically includes details about the endpoint sending the data, such as IP address, port, domain.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
source.address	keyword	192.168.1.1	ESET	N/A	The raw address of the source, as provided by the source. This can be an IP address, a domain name, or another network identifier.
source.ip	ip	192.168.1.1	ESET	N/A	IP address of the source host or endpoint sending the network traffic.
source.mac	keyword	00-11-22-33-44-55	ESET	N/A	MAC address of the source network interface.
source.port	long	80	ESET	N/A	Network port number of the source.

URL Field Set

Represents details about a URL involved in the event. These fields describe the structure and components of the URL.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
url.domain	keyword	autodiscover.contoso.com	ESET	N/A	The domain name extracted from the URL.
url.extension	keyword	xml	ESET	N/A	The file extension from the URL path.
url.full	wildcard Multi-field: url.full.text - match_only_text	http://autodiscover.contoso.com/autodiscover/autodiscover.xml	ESET	N/A	The complete URL.
url.original	wildcard Multi-field: url.original.text - match_only_text	http://autodiscover.contoso.com/autodiscover/autodiscover.xml	ESET	N/A	The complete URL as provided by the original data source.
url.path	wildcard	/autodiscover/autodiscover.xml	ESET	N/A	The path portion of the URL.
url.scheme	keyword	http	ESET	N/A	The protocol or scheme used.

User Field Set

Represents details about a user associated with the event. User fields are expected to be nested at:

•process.user.*

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
user.name	keyword	john	ESET	N/A	The username or account name.
user.domain	keyword	contoso	ESET	N/A	Domain or realm the user belongs to.
user.id	keyword	S-1-5-21-202424912787-2692429404-2351956786-1000	ESET	N/A	Unique identifier of the user.

Extensions

Custom ECS extensions are additional field sets introduced by integrations to capture data that is not covered by the standard Elastic Common Schema. These fields allow for richer context and vendor-specific attributes while maintaining compatibility with ECS. Extensions must follow ECS naming conventions and are grouped under a clear namespace to avoid conflicts with standard ECS fields.

ESET Extension

The ESET Extension standardizes data from ESET products by mapping antivirus detections and behavioral indicators to custom ECS fields under eset.* namespace.

Field Name	Field Mapping	Example	Integrations providing this field	Allowed values	Note
eset.aggregated_count	long	2	ESET	N/A	If the same indicator was triggered during short time span, it produces only one document. This field contains number of how many indicators produced the specific document.
eset.correlation_id	keyword	09f03498-8228-d345-f998-491d11a306d7	ESET	N/A	Identifier shared across related ESET indicators.
eset.epc_instance.id	keyword	7835678-c65c-41f6-ae2a-c784a2852a15	ESET	N/A	GUID of the ESET PROTECT instance.
eset.executable.code_signature.*	N/A	N/A	ESET	N/A	Information about digital signature. See ECS Code Signature fields.
eset.executable.file_format	keyword	pe	ESET	•elf •pe •macho	Format of executable file.
eset.executable.hash.*	N/A	N/A	ESET	N/A	Hashes of the executable. See ECS hash field set.
eset.executable.id	keyword	DB75962AE7A258C5DFA4F558BD8B7D04F2FED03F_	ESET	N/A	Unique identifier of the executable.
eset.executable.is_dynamically_linked_library	boolean	false	ESET	N/A	If true, the executable represents dynamically linked library.
eset.executable.last_nearmiss_time	date	2016-05-23T08:05:34.853Z	ESET	N/A	The timestamp when the associated file or executable triggered an antivirus detection that was classified as a near miss (for example, similar to known malware but not enough to be confidently reported as malware).
eset.executable.livegrid_findings.age_days	long	5	ESET	N/A	The number of days since the executable was first seen in LiveGrid®. The number is rounded to the equivalent of the common time buckets: day, few days, week, month, half of the year, year, et cetera.
eset.executable.livegrid_findings.popularity	double	0.64	ESET	Interval 0.0 - 1.0	How many computers reported an executable to LiveGrid®. The interval is mapped to powers of ten: •0.00 => 0 (not yet reported to LiveGrid®) •0.09 => 10⁰ = 1 •0.18 => 10¹ = 10 •0.27 => 10² = 100 •et cetera
eset.executable.livegrid_findings.reputation	double	0.88	ESET	Interval 0.0 - 1.0	Number indicating how safe the executable is according to to LiveGrid®. The higher the number, the more trusted is the executable by LiveGrid®. •= 0.00 - malware or blacklisted •<= 0.38 - potentially unwanted or unsafe •>= 0.88 - prevalent clean files
eset.executable.name	keyword	usoclient.exe	ESET	N/A	The name of the executable, including the extension but without the directory path.
eset.executable.marked_safe	boolean	false	ESET	N/A	If true, the executable is marked safe.
eset.executable.packer_name	keyword	UPX v13_m8	ESET	N/A	Name of packer used to create the executable as identified by ESET.
eset.executable.pe_internal_name	keyword	chrome_exe	ESET	N/A	Internal name field from the executable metadata.
eset.executable.pe_is_native	boolean	false	ESET	N/A	If true, the executable is a Windows driver.
eset.executable.product_version	keyword	142.0.7444.176	ESET	N/A	Product version field from the executable metadata.
eset.executable.sfx_name	keyword	PYINSTALLER	ESET	N/A	Name of the SFX tool used to create the executable as identified by ESET.
eset.executable.size	long	3,417,240	ESET	N/A	File size of the executable.
eset.executable.whitelist_type	keyword	livegrid	ESET	•threat-scanner •livegrid •certificate	Contains the type of whitelist. These whitelists are managed by ESET and are not user-configurable.
eset.handling_status	keyword	remediated	ESET	•mitigated •remediated •unhandled	Represents result of automated remediation as executed by ESET security product. •mitigated—partial immediate automated actions were taken to reduce the threat’s impact, but it has not been fully eliminated. Full resolution usually requires a system restart. •remediated—the threat has been completely and permanently resolved by the source system or automation or an automated process, indicating complete eradication and recovery to a secure state at the time of detection. •unhandled—the underlying artifact or observable has not been addressed, and no immediate or automated action was taken to contain, eradicate, or reduce its impact. This remains a high‑priority indicator requiring prompt human analysis, as the threat is still active and unimpeded.
eset.host.group_path	keyword array	All, Companies, ESET, Accounting	ESET	N/A	Lists the ESET PROTECT Admin Groups the device belongs to. The groups are ordered from the topmost one to the direct parent group of the host.
eset.host.id	keyword	59a611f9-a01e-47a6-a839-03b1e4ac3e67	ESET	N/A	Unique identifier for the host. Same as host.id.
eset.process.ancestors.id	keyword array	18fcddaa-632d-4991-8f5d-1b89c82d0eff, e1f8dc76-d7f8-49f2-9bac-30a20c598cb0	ESET	N/A	Unique identifiers of ancestors processes.
eset.process.ancestors.integrity_level	keyword array	medium, high	ESET	•untrusted •low •medium •high •system •protected	Integrity level of ancestor processes.
eset.process.ancestors.name	keyword array	chrome.exe, explorer.exe, userinit.exe, winlogon.exe, smss.exe	ESET	N/A	Process names of the ancestor processes.
eset.process.ancestors.pid	long array	15,916, 2,268, 7,784, 1,192, 1,084	ESET	N/A	Process PIDs of the ancestor processes.
eset.process.ancestors.subprocesses_count	long array	117, 9, 1, 6, 2	ESET	N/A	Number of processes spawned from the ancestor process.
eset.process.ancestors.terminated	boolean array	true, false, true	ESET	N/A	Termination status of the ancestor process.
eset.process.children.id	keyword array	18fcddaa-642d-4991-8f5d-1b89c82d0eff, e1f8dc76-d7f8-49f2-9bac-31a20c598cb0	ESET	N/A	Unique identifiers of children processes.
eset.process.children.integrity_level	keyword array	medium, high	ESET	•untrusted •low •medium •high •system •protected	Integrity level of children processes.
eset.process.children.name	keyword array	conhost.exe, cmd.exe	ESET	N/A	Process names of children processes.
eset.process.children.pid	long array	708, 7,964	ESET	N/A	Process identifiers of children processes.
eset.process.children.subprocess_count	long array	1, 5	ESET	N/A	Number of processes spawned from the child process.
eset.process.children.terminated	boolean array	true, false	ESET	N/A	Termination status of children processes.
eset.process.dns_query_count	long	0	ESET	N/A	Number of DNS queries made by the process.
eset.process.dropped_executable_count	long	1	ESET	N/A	Number of dropped executables by the process.
eset.process.http_request_count	long	9	ESET	N/A	Number of HTTP requests made by the process.
eset.process.id	keyword	8d053e9-8cf5-885d-a17b-0c14e4110000	ESET	N/A	Unique identifier of the process.
eset.process.integrity_level	keyword	medium	ESET	•untrusted •low •medium •high •system •protected	Integrity level of the process.
eset.process.lnk_path	keyword	c:\users\administrator\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\firefox.lnk	ESET	N/A	Specifies the full file system path to the Windows shortcut (.lnk) file that was used to launch the process.
eset.process.modified_registry_count	long	42	ESET	N/A	Number of Windows Registry keys modified by the process.
eset.process.network_connection_count	long	6	ESET	N/A	Number of network connections established by the process.
eset.process.spawned_child_process_count	long	2	ESET	N/A	Number of processes spawned from the process.
eset.process.threat_detection_performance_excluded	boolean	false	ESET	N/A	When true, the process is excluded from ESET Endpoint Security threat detection due to a configured performance exclusion.
eset.process.username	keyword	contoso\administrator	ESET	N/A	Stores the concatenated user.domain and user.name in the format domain\username, representing the account under which the process is executed.
eset.severity	keyword	Warning	ESET	•Informational •Warning •Threat	Textual representation of event.severity field. Based on event.risk_score field. •1–39 => Informational (1) •40–69 => Warning (2) •70-100 => Threat (3)
eset.triggering_event.argument	wildcard Multi-field: eset.triggering_event.argument.text - match_only_text	%WINDIR%\explorer.exe (Remote thread)	ESET	N/A	A context‑specific value associated with the event defined in eset.triggering_event.type. This field contains the primary object or parameter relevant to the event—for example, the file path, process path, registry key, network address, or other resource on which the event occurred.
eset.triggering_event.id	keyword	8b4df3a4-2c87-4f50-94af-ab0e0d8589eb	ESET	N/A	Unique ID of the triggering event.
eset.triggering_event.data	flattened	{ "event": "{\"event\":{\"action\":\"file-written\",\"category\":[\"file\"],\"created\":\"2026-01-12T11:24:18.162963962Z\",\"dataset\":\"eset.telemetry\",\"kind\":\"event\",\"module\":\"eset\",\"outcome\":\"success\",\"type\":[\"change\"]},\"file\":{\"directory\":\"/etc/profile.d/\",\"extension\":\"dpkg-new\",\"fork_name\":\"\",\"name\":\"apps-bin-path.sh.dpkg-new\",\"path\":\"/etc/profile.d/apps-bin-path.sh.dpkg-new\",\"type\":\"file\"},\"process\":{\"args_count\":\"0\",\"command_line\":\"/usr/bin/dpkg\",\"entity_id\":\"76d864e9-de7b-8a8a-9c8f-4c5154340000\",\"executable\":\"/usr/bin/dpkg\",\"name\":\"dpkg\",\"pid\":\"13396\",\"start\":\"2026-01-12T11:18:14Z\",\"code_signature\":{},\"hash\":{\"sha1\":\"7EEA08F4B248DCE66B87C4F8286029183C766439\",\"sha256\":\"052D7FFC6A813D0744E45B89ED2D9F4C6368B5EE9126AEF1C7290D6CAC38E287\"},\"parent\":{\"args_count\":\"0\",\"command_line\":\"dpkg\",\"entity_id\":\"76d864e9-9eb0-843a-9d1a-881954340000\",\"executable\":\"unknown13357\",\"name\":\"unknown13357\",\"pid\":\"13396\",\"start\":\"2026-01-12T11:18:14Z\"},\"user\":{\"id\":\"\",\"name\":\"root:root\"},\"end\":\"2026-01-12T11:18:54Z\"},\"eset\":{\"process\":{\"id\":\"76d864e9-de7b-8a8a-9c8f-4c5154340000\",\"username\":\"root:root\",\"livegrid_findings\":{\"age_days\":92,\"popularity\":0.36,\"reputation\":0.88},\"executable\":{\"id\":\"7EEA08F4B248DCE66B87C4F8286029183C766439_\",\"livegrid_findings\":{\"age_days\":92,\"popularity\":0.36,\"reputation\":0.88},\"file_format\":\"elf\",\"marked_safe\":false,\"hash\":{\"sha1\":\"7EEA08F4B248DCE66B87C4F8286029183C766439\",\"sha256\":\"052D7FFC6A813D0744E45B89ED2D9F4C6368B5EE9126AEF1C7290D6CAC38E287\"},\"is_dynamically_linked_library\":false,\"pe_is_native\":false,\"whitelist_type\":\"livegrid\",\"name\":\"dpkg\",\"size\":\"318176\"},\"threat_detection_performance_excluded\":false,\"modified_registry_count\":0,\"dropped_executable_count\":0,\"spawned_child_process_count\":146,\"http_request_count\":0,\"dns_query_count\":0,\"network_connection_count\":0},\"telemetry\":{\"event\":\"FileIoWrite\"}}}" }	ESET	N/A	Arbitrary non-schematic, event-type dependent structured data.
eset.triggering_event.type	keyword	FileDeleted	ESET	•ApiCalled •CodeInjected •DeviceConnected •DnsResolved •DriverLoaded •DriverUnloaded •ExecutableDropped •FileAddedToBitsJob •FileAttributesSet •FileDeleted •FileRead •FileRenamed •FileTruncated •FileWritten •HttpResourceRequested •LibraryLoaded •MultipleFilesChanged •NamedPipeCreated •ProcessCreated •ProcessInjected •ProcessOpened •ProcessStartedViaWmi •ProcessTerminated •RegistryKeyCreated •RegistryKeyDeleted •RegistryKeyRenamed •RegistryKeyValueChanged •RegistryKeyValueDeleted •ScheduledTaskCreated •ScheduledTaskStarted •ScriptExecuted •ServiceInstalled •ServiceStarted •SystemApiCalled •TcpIpAccepted •TcpIpConnected •TcpIpDisconnected •TcpIpProtocolIdentified •UserActivated •UserAddedToGroup •UserCreated •UserDisabled •UserLoggedin •UserLoggedout •UserRemoved •UserRemovedFromGroup •VirtualDiskMounted •VolumeShadowCopyDeleted •WmiPersistenceSetup •WmiQueryExecuted	Type of the triggering event based on observed behavior.
eset.remediationactions.created	date array	2016-05-23T08:05:34.853Z	ESET	N/A	The timestamp indicating when the remediation action was executed.
eset.remediationactions.id	keyword array	8b4df3a4-2c87-4f50-94af-ab0e0c8589eb	ESET	N/A	Unique ID of the remediation action.
eset.remediationactions.name	keyword array	KillProcess	ESET	•BlockModule •BlockProcessExecutable •BlockProcessSuspiciousModules •IsolateFromNetwork •KillProcess •LogOutUser •Reboot •Shutdown	Name of the remediation action performed by EDR (ESET Inspect). For more details see the Rules Guide Actions section.
eset.remediationactions.outcome	keyword array	true	ESET	N/A	Indicates the result of the remediation action.
eset.scan.scanner_version	text	32438 (20251230)	ESET	N/A	Version of ESET scanning engine or module that detected or reported the event.

˄˅