Geo Fields
editGeo Fields
editGeo fields can carry data about a specific location related to an event.
This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
Geo Field Details
editField | Description | Level |
---|---|---|
City name. type: keyword example: |
core |
|
Two-letter code representing continent’s name. type: keyword example: |
core |
|
Name of the continent. type: keyword example: |
core |
|
Country ISO code. type: keyword example: |
core |
|
Country name. type: keyword example: |
core |
|
Longitude and latitude. type: geo_point example: |
core |
|
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. type: keyword example: |
extended |
|
Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword example: |
core |
|
Region ISO code. type: keyword example: |
core |
|
Region name. type: keyword example: |
core |
|
The time zone of the location, such as IANA time zone name. type: keyword example: |
core |
Field Reuse
editThe geo
fields are expected to be nested at:
-
client.geo
-
destination.geo
-
host.geo
-
observer.geo
-
server.geo
-
source.geo
-
threat.enrichments.indicator.geo
-
threat.indicator.geo
Note also that the geo
fields are not expected to be used directly at the root of the events.