ECS Categorization Field: event.type

edit

This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.

event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization.

This field is an array. This will allow proper categorization of some events that fall in multiple event types.

After the beta period for categorization, only the allowed categorization values listed in the ECS repository and official ECS documentation should be considered official. Use of any other values may result in incompatible implementations that will require subsequent breaking changes.

Allowed Values

access

edit

The access event type is used for the subset of events within a category that indicate that something was accessed. Common examples include event.category:database AND event.type:access, or event.category:file AND event.type:access. Note for file access, both directory listings and file opens should be included in this subcategory. You can further distinguish access operations using the ECS event.action field.

change

edit

The change event type is used for the subset of events within a category that indicate that something has changed. If semantics best describe an event as modified, then include them in this subcategory. Common examples include event.category:process AND event.type:change, and event.category:file AND event.type:change. You can further distinguish change operations using the ECS event.action field.

creation

edit

The "creation" event type is used for the subset of events within a category that indicate that something was created. A common example is event.category:file AND event.type:creation.

deletion

edit

The deletion event type is used for the subset of events within a category that indicate that something was deleted. A common example is event.category:file AND event.type:deletion to indicate that a file has been deleted.

end

edit

The end event type is used for the subset of events within a category that indicate something has ended. A common example is event.category:process AND event.type:end.

error

edit

The error event type is used for the subset of events within a category that indicate or describe an error. A common example is event.category:database AND event.type:error. Note that pipeline errors that occur during the event ingestion process should not use this event.type value. Instead, they should use event.kind:pipeline_error.

info

edit

The info event type is used for the subset of events within a category that indicate that they are purely informational, and don’t report a state change, or any type of action. For example, an initial run of a file integrity monitoring system (FIM), where an agent reports all files under management, would fall into the "info" subcategory. Similarly, an event containing a dump of all currently running processes (as opposed to reporting that a process started/ended) would fall into the "info" subcategory. An additional common examples is event.category:intrusion_detection AND event.type:info.

installation

edit

The installation event type is used for the subset of events within a category that indicate that something was installed. A common example is event.category:package AND event.type:installation.

start

edit

The start event type is used for the subset of events within a category that indicate something has started. A common example is event.category:process AND event.type:start.