- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- Device Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Email Fields
- Error Fields
- Event Fields
- FaaS Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Mach-O Header Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Risk information Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Volume Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
- Release Notes
Risk information Fields
editRisk information Fields
editFields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*
. Please continue to use event.risk_score
and event.risk_score_norm
for event risk.
These fields are in beta and are subject to change.
Risk information Field Details
editField | Description | Level |
---|---|---|
A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword example: |
extended |
|
A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float example: |
extended |
|
A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. type: float example: |
extended |
|
A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword example: |
extended |
|
A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float example: |
extended |
|
A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. type: float example: |
extended |
Field Reuse
editThe risk
fields are expected to be nested at:
-
host.risk
-
user.risk
Note also that the risk
fields are not expected to be used directly at the root of the events.
On this page