ECS Field Reference
editECS Field Reference
editThis is the documentation of ECS version 1.2.0.
ECS defines multiple groups of related fields. They are called "field sets". The Base field set is the only one whose fields are defined at the root of the event.
All other field sets are defined as objects in Elasticsearch, under which all fields are defined.
Field Sets
editField Set | Description |
---|---|
All fields defined directly at the top level |
|
Fields about the monitoring agent. |
|
Fields describing an Autonomous System (Internet routing prefix). |
|
Fields about the client side of a network connection, used with server. |
|
Fields about the cloud resource. |
|
Fields describing the container that generated this event. |
|
Fields about the destination side of a network connection, used with source. |
|
Fields describing DNS queries and answers. |
|
Meta-information specific to ECS. |
|
Fields about errors of any kind. |
|
Fields breaking down the event details. |
|
Fields describing files. |
|
Fields describing a location. |
|
User’s group relevant to the event. |
|
Hashes, usually file hashes. |
|
Fields describing the relevant computing instance. |
|
Fields describing an HTTP request. |
|
Details about the event’s logging mechanism. |
|
Fields describing the communication path over which the event happened. |
|
Fields describing an entity observing the event from outside the host. |
|
Fields describing the organization or company the event is associated with. |
|
OS fields contain information about the operating system. |
|
These fields contain information about an installed software package. |
|
These fields contain information about a process. |
|
Fields meant to facilitate pivoting around a piece of data. |
|
Fields about the server side of a network connection, used with client. |
|
Fields describing the service for or from which the data was collected. |
|
Fields about the source side of a network connection, used with destination. |
|
Fields to classify events and alerts according to a threat taxonomy. |
|
Fields related to distributed tracing. |
|
Fields that let you store URLs in various forms. |
|
Fields to describe the user relevant to the event. |
|
Fields to describe a browser user_agent string. |