- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- Device Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Email Fields
- Error Fields
- Event Fields
- FaaS Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Mach-O Header Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Risk information Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Volume Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
- Release Notes
Rule Fields
editRule Fields
editRule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
Rule Field Details
editField | Description | Level |
---|---|---|
Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. type: keyword Note: this field should contain an array of values. example: |
extended |
|
A categorization value keyword used by the entity using the rule for detection of this event. type: keyword example: |
extended |
|
The description of the rule generating the event. type: keyword example: |
extended |
|
A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. type: keyword example: |
extended |
|
Name of the license under which the rule used to generate this event is made available. type: keyword example: |
extended |
|
The name of the rule or signature generating the event. type: keyword example: |
extended |
|
Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. type: keyword example: |
extended |
|
Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. type: keyword example: |
extended |
|
A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. type: keyword example: |
extended |
|
The version / revision of the rule being used for analysis. type: keyword example: |
extended |
On this page