ECS Field Reference

edit

This is the documentation of ECS version 1.2.0.

ECS defines multiple groups of related fields. They are called "field sets". The Base field set is the only one whose fields are defined at the root of the event.

All other field sets are defined as objects in Elasticsearch, under which all fields are defined.

Field Sets

edit
Field Set Description

Base

All fields defined directly at the top level

Agent

Fields about the monitoring agent.

Autonomous System

Fields describing an Autonomous System (Internet routing prefix).

Client

Fields about the client side of a network connection, used with server.

Cloud

Fields about the cloud resource.

Container

Fields describing the container that generated this event.

Destination

Fields about the destination side of a network connection, used with source.

DNS

Fields describing DNS queries and answers.

ECS

Meta-information specific to ECS.

Error

Fields about errors of any kind.

Event

Fields breaking down the event details.

File

Fields describing files.

Geo

Fields describing a location.

Group

User’s group relevant to the event.

Hash

Hashes, usually file hashes.

Host

Fields describing the relevant computing instance.

HTTP

Fields describing an HTTP request.

Log

Details about the event’s logging mechanism.

Network

Fields describing the communication path over which the event happened.

Observer

Fields describing an entity observing the event from outside the host.

Organization

Fields describing the organization or company the event is associated with.

Operating System

OS fields contain information about the operating system.

Package

These fields contain information about an installed software package.

Process

These fields contain information about a process.

Related

Fields meant to facilitate pivoting around a piece of data.

Server

Fields about the server side of a network connection, used with client.

Service

Fields describing the service for or from which the data was collected.

Source

Fields about the source side of a network connection, used with destination.

Threat

Fields to classify events and alerts according to a threat taxonomy.

Tracing

Fields related to distributed tracing.

URL

Fields that let you store URLs in various forms.

User

Fields to describe the user relevant to the event.

User agent

Fields to describe a browser user_agent string.