ECS Categorization Field: event.type
editECS Categorization Field: event.type
editThis is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
event.type
represents a categorization "sub-bucket" that, when used along with the event.category
field values, enables filtering events down to a level appropriate for single visualization.
This field is an array. This will allow proper categorization of some events that fall in multiple event types.
After the beta period for categorization, only the allowed categorization values listed in the ECS repository and official ECS documentation should be considered official. Use of any other values may result in incompatible implementations that will require subsequent breaking changes.
Allowed Values
access
editThe access event type is used for the subset of events within a category that indicate that something was accessed. Common examples include event.category:database AND event.type:access
, or event.category:file AND event.type:access
. Note for file access, both directory listings and file opens should be included in this subcategory. You can further distinguish access operations using the ECS event.action
field.
change
editThe change event type is used for the subset of events within a category that indicate that something has changed. If semantics best describe an event as modified, then include them in this subcategory. Common examples include event.category:process AND event.type:change
, and event.category:file AND event.type:change
. You can further distinguish change operations using the ECS event.action
field.
creation
editThe "creation" event type is used for the subset of events within a category that indicate that something was created. A common example is event.category:file AND event.type:creation
.
deletion
editThe deletion event type is used for the subset of events within a category that indicate that something was deleted. A common example is event.category:file AND event.type:deletion
to indicate that a file has been deleted.
end
editThe end event type is used for the subset of events within a category that indicate something has ended. A common example is event.category:process AND event.type:end
.
error
editThe error event type is used for the subset of events within a category that indicate or describe an error. A common example is event.category:database AND event.type:error
. Note that pipeline errors that occur during the event ingestion process should not use this event.type
value. Instead, they should use event.kind:pipeline_error
.
info
editThe info event type is used for the subset of events within a category that indicate that they are purely informational, and don’t report a state change, or any type of action. For example, an initial run of a file integrity monitoring system (FIM), where an agent reports all files under management, would fall into the "info" subcategory. Similarly, an event containing a dump of all currently running processes (as opposed to reporting that a process started/ended) would fall into the "info" subcategory. An additional common examples is event.category:intrusion_detection AND event.type:info
.
installation
editThe installation event type is used for the subset of events within a category that indicate that something was installed. A common example is event.category:package
AND event.type:installation
.
start
editThe start event type is used for the subset of events within a category that indicate something has started. A common example is event.category:process AND event.type:start
.