ECS Categorization Field: event.category
editECS Categorization Field: event.category
editThis is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
event.category
represents the "big buckets" of ECS categories. For example, filtering on event.category:process
yields all events relating to process activity. This field is closely related to event.type
, which is used as a subcategory.
This field is an array. This will allow proper categorization of some events that fall in multiple categories.
After the beta period for categorization, only the allowed categorization values listed in the ECS repository and official ECS documentation should be considered official. Use of any other values may result in incompatible implementations that will require subsequent breaking changes.
Allowed Values
authentication
editEvents in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity.
Expected event types for category authentication:
start, end, info
configuration
editEvents in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system.
Example sources include security policy change logs, configuration auditing logging, and system integrity monitoring.
Expected event types for category configuration:
access, change, creation, deletion, info
database
editThe database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes.
Expected event types for category database:
access, change, info, error
driver
editEvents in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc.
Use events and metrics in this category to visualize and analyze driver-related activity and status on hosts.
Expected event types for category driver:
change, end, info, start
file
editRelating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log.
Expected event types for category file:
change, creation, deletion, info
host
editUse this category to visualize and analyze information such as host inventory or host lifecycle events.
Most of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane’s point of view. Some can also be seen from within, such as "start" or "end".
Note that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".
Expected event types for category host:
access, change, end, info, start
iam
editIdentity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.
Expected event types for category iam:
admin, change, creation, deletion, group, info, user
intrusion_detection
editRelating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections.
Expected event types for category intrusion_detection:
allowed, denied, info
malware
editMalware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs.
Expected event types for category malware:
info
network
editRelating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc.
Expected event types for category network:
access, allowed, connection, denied, end, info, protocol, start
package
editRelating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data.
Expected event types for category package:
access, change, deletion, info, installation, start
process
editUse this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry.
Expected event types for category process:
access, change, end, info, start
web
editRelating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.
Expected event types for category web:
access, error, info