Common fields

edit

Contains common fields available in all event types.

event.module

The name of the module that generated the event.

event.dataset

The name of the module’s dataset that generated the event.

event.action

type: keyword

example: logged-in

Action describes the change that triggered the event. For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.

event.id

type: keyword

example: 8a4f500d

Unique ID to describe the event.

event.kind

type: keyword

example: state

The kind of the event. This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are event, state, alarm. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.

message

type: text

example: Hello World

For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.

process fields

edit

These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.

process.start

type: date

example: 2016-05-23T08:05:34.853Z

The time the process started.

process.working_directory

type: keyword

example: /home/alice

The working directory of the process.

process.executable

type: keyword

example: /usr/bin/ssh

Absolute path to the process executable.

network.type

type: keyword

example: IPv4

In the OSI Model this would be the Network Layer. IPv4, IPv6, IPSec, PIM, etc

user fields

edit

The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

user.id

type: keyword

One or multiple unique identifiers of the user.

user.name

type: keyword

example: albert

Short name or login of the user.

group fields

edit

The group fields are meant to represent groups that are relevant to the event.

user.group.id

type: keyword

Unique identifier for the group on the system/platform.

user.group.name

type: keyword

Name of the group.

file fields

edit

File attributes.

file.path

type: text

The path to the file.

file.path.raw

type: keyword

The path to the file. This is a non-analyzed field that is useful for aggregations.

file.target_path

type: keyword

The target path for symlinks.

file.type

type: keyword

The file type (file, dir, or symlink).

file.device

type: keyword

The device.

file.inode

type: keyword

The inode representing the file in the filesystem.

file.uid

type: keyword

The user ID (UID) or security identifier (SID) of the file owner.

file.owner

type: keyword

The file owner’s username.

file.gid

type: keyword

The primary group ID (GID) of the file.

file.group

type: keyword

The primary group name of the file.

file.mode

type: keyword

example: 416

The mode of the file in octal representation.

file.setuid

type: boolean

example: True

Set if the file has the setuid bit set. Omitted otherwise.

file.setgid

type: boolean

example: True

Set if the file has the setgid bit set. Omitted otherwise.

file.size

type: long

The file size in bytes (field is only added when type is file).

file.mtime

type: date

The last modified time of the file (time when content was modified).

file.ctime

type: date

The last change time of the file (time when metadata was changed).

file.origin

type: text

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

file.origin.raw

type: keyword

This is a non-analyzed field that is useful for aggregations on the origin data.

selinux fields

edit

The SELinux identity of the file.

file.selinux.user

type: keyword

The owner of the object.

file.selinux.role

type: keyword

The object’s SELinux role.

file.selinux.domain

type: keyword

The object’s SELinux domain or type.

file.selinux.level

type: keyword

example: s0

The object’s SELinux level.

user fields

edit

User information.

effective fields

edit

Effective user information.

user.effective.id

type: keyword

Effective user ID.

group fields

edit

Effective group information.

user.effective.group.id

type: keyword

Effective group ID.

saved fields

edit

Saved user information.

user.saved.id

type: keyword

Saved user ID.

group fields

edit

Saved group information.

user.saved.group.id

type: keyword

Saved group ID.