IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

Alert schema

edit

Alert schema

edit

Elastic Security stores alerts that have been generated by detection rules in hidden Elasticsearch indices. In 8.x versions, the index pattern is .alerts-security.alerts-<space-id->. In 7.x versions, the index pattern was .siem-signals-<space-id>, and some field names were different. The following table includes the current names and cross-references the legacy field names.

Users are advised NOT to use the _source field in alert documents, but rather to use the fields option in the search API to programmatically obtain the list of fields used in these documents. Learn more about retrieving selected fields from a search.

The non-ECS fields listed below are beta and subject to change.

7.x signal field	8.x alert field	Description
`@timestamp`	`@timestamp`	ECS field, represents the time when the alert was created or most recently updated.
`message`	`message`	ECS field copied from the source document, if present, for custom query and indicator match rules.
`tags`	`tags`	ECS field copied from the source document, if present, for custom query and indicator match rules.
`labels`	`labels`	ECS field copied from the source document, if present, for custom query and indicator match rules.
`ecs.version`	`ecs.version`	ECS mapping version of the alert.
`event.kind`	`event.kind`	ECS field, always `signal` for alert documents.
`event.category`	`event.category`	ECS field, copied from the source document, if present, for custom query and indicator match rules.
`event.type`	`event.type`	ECS field, copied from the source document, if present, for custom query and indicator match rules.
`event.outcome`	`event.outcome`	ECS field, copied from the source document, if present, for custom query and indicator match rules.
`agent.*`	`agent.*`	ECS `agent.*` fields copied from the source document, if present, for custom query and indicator match rules.
`client.*`	`client.*`	ECS `client.*` fields copied from the source document, if present, for custom query and indicator match rules.
`cloud.*`	`cloud.*`	ECS `cloud.*` fields copied from the source document, if present, for custom query and indicator match rules.
`container.*`	`container.*`	ECS `container.* fields` copied from the source document, if present, for custom query and indicator match rules.
`data_stream.*`	`data_stream.*`	ECS `data_stream.*` fields copied from the source document, if present, for custom query and indicator match rules. NOTE: These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords.
`destination.*`	`destination.*`	ECS `destination.*` fields copied from the source document, if present, for custom query and indicator match rules.
`dll.*`	`dll.*`	ECS `dll.*` fields copied from the source document, if present, for custom query and indicator match rules.
`dns.*`	dns.*	ECS `dns.*` fields copied from the source document, if present, for custom query and indicator match rules.
`error.*`	`error.*`	ECS `error.*` fields copied from the source document, if present, for custom query and indicator match rules.
`event.*`	`event.*`	ECS `event.*` fields copied from the source document, if present, for custom query and indicator match rules. NOTE: categorization fields above (`event.kind`, `event.category`, `event.type`, `event.outcome`) are listed separately above.
`file.*`	`file.*`	ECS `file.*` fields copied from the source document, if present, for custom query and indicator match rules.
`group.*`	`group.*`	ECS `group.*` fields copied from the source document, if present, for custom query and indicator match rules.
`host.*`	`host.*`	ECS `host.*` fields copied from the source document, if present, for custom query and indicator match rules.
`http.*`	`http.*`	ECS `http.*` fields copied from the source document, if present, for custom query and indicator match rules.
`log.*`	`log.*`	ECS `log.*` fields copied from the source document, if present, for custom query and indicator match rules.
`network.*`	`network.*`	ECS `network.*` fields copied from the source document, if present, for custom query and indicator match rules.
`observer.*`	`observer.*`	ECS `observer.*` fields copied from the source document, if present, for custom query and indicator match rules.
`orchestrator.*`	`orchestrator.*`	ECS `orchestrator.*` fields copied from the source document, if present, for custom query and indicator match rules.
`organization.*`	`organization.*`	ECS `organization.*` fields copied from the source document, if present, for custom query and indicator match rules.
`package.*`	`package.*`	ECS `package.*` fields copied from the source document, if present, for custom query and indicator match rules.
`process.*`	`process.*`	ECS `process.*` fields copied from the source document, if present, for custom query and indicator match rules.
`registry.*`	`registry.*`	ECS `registry.*` fields copied from the source document, if present, for custom query and indicator match rules.
`related.*`	`related.*`	ECS `related.*` fields copied from the source document, if present, for custom query and indicator match rules.
`rule.*`	`rule.*`	ECS `rule.*` fields copied from the source document, if present, for custom query and indicator match rules. NOTE: These fields are not related to the detection rule that generated the alert.
`server.*`	`server.*`	ECS `server.*` fields copied from the source document, if present, for custom query and indicator match rules.
`service.*`	`service.*`	ECS `service.*` fields copied from the source document, if present, for custom query and indicator match rules.
`source.*`	`source.*`	ECS `source.*` fields copied from the source document, if present, for custom query and indicator match rules.
`span.*`	`span.*`	ECS `span.*` fields copied from the source document, if present, for custom query and indicator match rules.
`threat.*`	`threat.*`	ECS `threat.*` fields copied from the source document, if present, for custom query and indicator match rules.
`tls.*`	`tls.*`	ECS `tls.*` fields copied from the source document, if present, for custom query and indicator match rules.
`trace.*`	`trace.*`	ECS `trace.*` fields copied from the source document, if present, for custom query and indicator match rules.
`transaction.*`	`transaction.*`	ECS `transaction.*` fields copied from the source document, if present, for custom query and indicator match rules.
`url.*`	`url.*`	ECS `url.*` fields copied from the source document, if present, for custom query and indicator match rules.
`user.*`	`user.*`	ECS `user.*` fields copied from the source document, if present, for custom query and indicator match rules.
`user_agent.*`	`user_agent.*`	ECS `user_agent.*` fields copied from the source document, if present, for custom query and indicator match rules.
`vulnerability.*`	`vulnerability.*`	ECS `vulnerability.*` fields copied from the source document, if present, for custom query and indicator match rules.
`signal.ancestors.*`	`kibana.alert.ancestors.*`	Type: object
`signal.depth`	`kibana.alert.depth`	Type: Long
N/A	`kibana.alert.new_terms`	The value of the new term that generated this alert. Type: keyword
`signal.original_event.*`	`kibana.alert.original_event.*`	Type: object
`signal.original_time`	`kibana.alert.original_time`	The value copied from the source event (`@timestamp`). Type: date
`signal.reason`	`kibana.alert.reason`	Type: keyword
`signal.rule.author`	`kibana.alert.rule.author`	The value of the `author` who created the rule. Refer to configure advanced rule settings. Type: keyword
`signal.rule.building_block_type`	`kibana.alert.building_block_type`	The value of `building_block_type` from the rule that generated this alert. Refer to configure advanced rule settings. Type: keyword
`signal.rule.created_at`	`kibana.alert.rule.created_at`	The value of `created.at` from the rule that generated this alert. Type: date
`signal.rule.created_by`	`kibana.alert.rule.created_by`	Type: keyword
`signal.rule.description`	`kibana.alert.rule.description`	Type: keyword
`signal.rule.enabled`	`kibana.alert.rule.enabled`	Type: keyword
`signal.rule.false_positives`	`kibana.alert.rule.false_positives`	Type: keyword
`signal.rule.from`	`kibana.alert.rule.from`	Type: keyword
`signal.rule.id`	`kibana.alert.rule.uuid`	Type: keyword
`signal.rule.immutable`	`kibana.alert.rule.immutable`	Type: keyword
`signal.rule.interval`	`kibana.alert.rule.interval`	Type: keyword
`signal.rule.license`	`kibana.alert.rule.license`	Type: keyword
`signal.rule.max_signals`	`kibana.alert.rule.max_signals`	Type: long
`signal.rule.name`	`kibana.alert.rule.name`	Type: keyword
`signal.rule.note`	`kibana.alert.rule.note`	Type: keyword
`signal.rule.references`	`kibana.alert.rule.references`	Type: keyword
`signal.rule.risk_score`	`kibana.alert.risk_score`	Type: float
`signal.rule.rule_id`	`kibana.alert.rule.rule_id`	Type: keyword
`signal.rule.rule_name_override`	`kibana.alert.rule.rule_name_override`	Type: keyword
`signal.rule.severity`	`kibana.alert.severity`	Alert severity, populated by the `rule_type` at alert creation. Must have a value of `low`, `medium`, `high`, `critical`. Type: keyword
`signal.rule.tags`	`kibana.alert.rule.tags`	Type: keyword
`signal.rule.threat.*`	`kibana.alert.rule.threat.*`	Type: object
`signal.rule.timeline_id`	`kibana.alert.rule.timeline_id`	Type: keyword
`signal.rule.timeline_title`	`kibana.alert.rule.timeline_title`	Type: keyword
`signal.rule.timestamp_override`	`kibana.alert.rule.timestamp_override`	Type: keyword
`signal.rule.to`	`kibana.alert.rule.to`	Type: keyword
`signal.rule.type`	`kibana.alert.rule.type`	Type: keyword
`signal.rule.updated_at`	`kibana.alert.rule.updated_at`	Type: date
`signal.rule.updated_by`	`kibana.alert.rule.updated_by`	Type: keyword
`signal.rule.version`	`kibana.alert.rule.version`	A number that represents a rule’s version. Type: keyword
N/A	`kibana.alert.rule.revision`	A number that gets incremented each time you edit a rule. Type: long
`signal.status`	`kibana.alert.workflow_status`	Type: keyword
N/A	`kibana.alert.workflow_status_updated_at`	The timestamp of when the alert’s status was last updated. Type: date
`signal.threshold_result.*`	`kibana.alert.threshold_result.*`	Type: object
`signal.group.id`	`kibana.alert.group.id`	Type: keyword
`signal.group.index`	`kibana.alert.group.index`	Type: integer
`signal.rule.index`	`kibana.alert.rule.parameters.index`	Type: flattened
`signal.rule.language`	`kibana.alert.rule.parameters.language`	Type: flattened
`signal.rule.query`	`kibana.alert.rule.parameters.query`	Type: flattened
`signal.rule.risk_score_mapping`	`kibana.alert.rule.parameters.risk_score_mapping`	Type: flattened
`signal.rule.saved_id`	`kibana.alert.rule.parameters.saved_id`	Type: flattened
`signal.rule.severity_mapping`	`kibana.alert.rule.parameters.severity_mapping`	Type: flattened
`signal.rule.threat_filters`	`kibana.alert.rule.parameters.threat_filters`	Type: flattened
`signal.rule.threat_index`	`kibana.alert.rule.parameters.threat_index`	Names of the indicator indices. Type: flattened
`signal.rule.threat_indicator_path`	`kibana.alert.rule.parameters.threat_indicator_path`	Type: flattened
`signal.rule.threat_language`	`kibana.alert.rule.parameters.threat_language`	Type: flattened
`signal.rule.threat_mapping.*`	`kibana.alert.rule.parameters.threat_mapping.*`	Controls which fields will be compared in the indicator and source documents. Type: flattened
`signal.rule.threat_query`	`kibana.alert.rule.parameters.threat_query`	Type: flattened
`signal.rule.threshold.*`	`kibana.alert.rule.parameters.threshold.*`	Type: flattened
N/A	`kibana.space_ids`	Type: keyword
N/A	`kibana.alert.rule.consumer`	Type: keyword
N/A	`kibana.alert.status`	Type: keyword
N/A	`kibana.alert.rule.category`	Type: keyword
N/A	`kibana.alert.rule.execution.uuid`	Type: keyword
N/A	`kibana.alert.rule.producer`	Type: keyword
N/A	`kibana.alert.rule.rule_type_id`	Type: keyword
N/A	`kibana.alert.suppression.terms.field`	The fields used to group alerts for suppression. Type: keyword
N/A	`kibana.alert.suppression.terms.value`	The values in the suppression fields. Type: keyword
N/A	`kibana.alert.suppression.start`	The timestamp of the first document in the suppression group. Type: date
N/A	`kibana.alert.suppression.end`	The timestamp of the last document in the suppression group. Type: date
N/A	`kibana.alert.suppression.docs_count`	The number of suppressed alerts. Type: long
N/A	`kibana.alert.url`	The shareable URL for the alert. This field only appears if you’ve set the `server.publicBaseUrl` configuration setting in the `kibana.yml` file. Type: long
N/A	`kibana.alert.workflow_tags`	List of tags added to an alert. This field can contain an array of values, for example: `["False Positive", "production"]` Type: keyword
N/A	`kibana.alert.workflow_assignee_ids`	List of users assigned to an alert. An array of unique identifiers (UIDs) for user profiles, for example: `["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]` UIDs are linked to user profiles that are automatically created when users first log into a deployment. These profiles contain names, emails, profile avatars, and other user settings. Type: string[]

« Timeline schema Troubleshooting »