@timestamp
|
@timestamp
|
ECS field, represents the time when the alert was created or most recently updated. |
message
|
message
|
ECS field copied from the source document, if present, for custom query and indicator match rules. |
tags
|
tags
|
ECS field copied from the source document, if present, for custom query and indicator match rules. |
labels
|
labels
|
ECS field copied from the source document, if present, for custom query and indicator match rules. |
ecs.version
|
ecs.version
|
ECS mapping version of the alert. |
event.kind
|
event.kind
|
ECS field, always signal for alert documents. |
event.category
|
event.category
|
ECS field, copied from the source document, if present, for custom query and indicator match rules. |
event.type
|
event.type
|
ECS field, copied from the source document, if present, for custom query and indicator match rules. |
event.outcome
|
event.outcome
|
ECS field, copied from the source document, if present, for custom query and indicator match rules. |
agent.*
|
agent.*
|
ECS agent.* fields copied from the source document, if present, for custom query and indicator match rules. |
client.*
|
client.*
|
ECS client.* fields copied from the source document, if present, for custom query and indicator match rules. |
cloud.*
|
cloud.*
|
ECS cloud.* fields copied from the source document, if present, for custom query and indicator match rules. |
container.*
|
container.*
|
ECS container.* fields copied from the source document, if present, for custom query and indicator match rules. |
data_stream.*
|
data_stream.*
|
ECS data_stream.* fields copied from the source document, if present, for custom query and indicator match rules.
NOTE: These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords. |
destination.*
|
destination.*
|
ECS destination.* fields copied from the source document, if present, for custom query and indicator match rules. |
dll.*
|
dll.*
|
ECS dll.* fields copied from the source document, if present, for custom query and indicator match rules. |
dns.*
|
dns.* |
ECS dns.* fields copied from the source document, if present, for custom query and indicator match rules. |
error.*
|
error.*
|
ECS error.* fields copied from the source document, if present, for custom query and indicator match rules. |
event.*
|
event.*
|
ECS event.* fields copied from the source document, if present, for custom query and indicator match rules.
NOTE: categorization fields above (event.kind , event.category , event.type , event.outcome ) are listed separately above. |
file.*
|
file.*
|
ECS file.* fields copied from the source document, if present, for custom query and indicator match rules. |
group.*
|
group.*
|
ECS group.* fields copied from the source document, if present, for custom query and indicator match rules. |
host.*
|
host.*
|
ECS host.* fields copied from the source document, if present, for custom query and indicator match rules. |
http.*
|
http.*
|
ECS http.* fields copied from the source document, if present, for custom query and indicator match rules. |
log.*
|
log.*
|
ECS log.* fields copied from the source document, if present, for custom query and indicator match rules. |
network.*
|
network.*
|
ECS network.* fields copied from the source document, if present, for custom query and indicator match rules. |
observer.*
|
observer.*
|
ECS observer.* fields copied from the source document, if present, for custom query and indicator match rules. |
orchestrator.*
|
orchestrator.*
|
ECS orchestrator.* fields copied from the source document, if present, for custom query and indicator match rules. |
organization.*
|
organization.*
|
ECS organization.* fields copied from the source document, if present, for custom query and indicator match rules. |
package.*
|
package.*
|
ECS package.* fields copied from the source document, if present, for custom query and indicator match rules. |
process.*
|
process.*
|
ECS process.* fields copied from the source document, if present, for custom query and indicator match rules. |
registry.*
|
registry.*
|
ECS registry.* fields copied from the source document, if present, for custom query and indicator match rules. |
related.*
|
related.*
|
ECS related.* fields copied from the source document, if present, for custom query and indicator match rules. |
rule.*
|
rule.*
|
ECS rule.* fields copied from the source document, if present, for custom query and indicator match rules.
NOTE: These fields are not related to the detection rule that generated the alert. |
server.*
|
server.*
|
ECS server.* fields copied from the source document, if present, for custom query and indicator match rules. |
service.*
|
service.*
|
ECS service.* fields copied from the source document, if present, for custom query and indicator match rules. |
source.*
|
source.*
|
ECS source.* fields copied from the source document, if present, for custom query and indicator match rules. |
span.*
|
span.*
|
ECS span.* fields copied from the source document, if present, for custom query and indicator match rules. |
threat.*
|
threat.*
|
ECS threat.* fields copied from the source document, if present, for custom query and indicator match rules. |
tls.*
|
tls.*
|
ECS tls.* fields copied from the source document, if present, for custom query and indicator match rules. |
trace.*
|
trace.*
|
ECS trace.* fields copied from the source document, if present, for custom query and indicator match rules. |
transaction.*
|
transaction.*
|
ECS transaction.* fields copied from the source document, if present, for custom query and indicator match rules. |
url.*
|
url.*
|
ECS url.* fields copied from the source document, if present, for custom query and indicator match rules. |
user.*
|
user.*
|
ECS user.* fields copied from the source document, if present, for custom query and indicator match rules. |
user_agent.*
|
user_agent.*
|
ECS user_agent.* fields copied from the source document, if present, for custom query and indicator match rules. |
vulnerability.*
|
vulnerability.*
|
ECS vulnerability.* fields copied from the source document, if present, for custom query and indicator match rules. |
signal.ancestors.*
|
kibana.alert.ancestors.*
|
Type: object |
signal.depth
|
kibana.alert.depth
|
Type: Long |
N/A |
kibana.alert.new_terms
|
The value of the new term that generated this alert.
Type: keyword |
signal.original_event.*
|
kibana.alert.original_event.*
|
Type: object |
signal.original_time
|
kibana.alert.original_time
|
The value copied from the source event (@timestamp ).
Type: date |
signal.reason
|
kibana.alert.reason
|
Type: keyword |
signal.rule.author
|
kibana.alert.rule.author
|
The value of the author who created the rule. Refer to configure advanced rule settings.
Type: keyword |
signal.rule.building_block_type
|
kibana.alert.building_block_type
|
The value of building_block_type from the rule that generated this alert. Refer to configure advanced rule settings.
Type: keyword |
signal.rule.created_at
|
kibana.alert.rule.created_at
|
The value of created.at from the rule that generated this alert.
Type: date |
signal.rule.created_by
|
kibana.alert.rule.created_by
|
Type: keyword |
signal.rule.description
|
kibana.alert.rule.description
|
Type: keyword |
signal.rule.enabled
|
kibana.alert.rule.enabled
|
Type: keyword |
signal.rule.false_positives
|
kibana.alert.rule.false_positives
|
Type: keyword |
signal.rule.from
|
kibana.alert.rule.from
|
Type: keyword |
signal.rule.id
|
kibana.alert.rule.uuid
|
Type: keyword |
signal.rule.immutable
|
kibana.alert.rule.immutable
|
Type: keyword |
signal.rule.interval
|
kibana.alert.rule.interval
|
Type: keyword |
signal.rule.license
|
kibana.alert.rule.license
|
Type: keyword |
signal.rule.max_signals
|
kibana.alert.rule.max_signals
|
Type: long |
signal.rule.name
|
kibana.alert.rule.name
|
Type: keyword |
signal.rule.note
|
kibana.alert.rule.note
|
Type: keyword |
signal.rule.references
|
kibana.alert.rule.references
|
Type: keyword |
signal.rule.risk_score
|
kibana.alert.risk_score
|
Type: float |
signal.rule.rule_id
|
kibana.alert.rule.rule_id
|
Type: keyword |
signal.rule.rule_name_override
|
kibana.alert.rule.rule_name_override
|
Type: keyword |
signal.rule.severity
|
kibana.alert.severity
|
Alert severity, populated by the rule_type at alert creation. Must have a value of low , medium , high , critical .
Type: keyword |
signal.rule.tags
|
kibana.alert.rule.tags
|
Type: keyword |
signal.rule.threat.*
|
kibana.alert.rule.threat.*
|
Type: object |
signal.rule.timeline_id
|
kibana.alert.rule.timeline_id
|
Type: keyword |
signal.rule.timeline_title
|
kibana.alert.rule.timeline_title
|
Type: keyword |
signal.rule.timestamp_override
|
kibana.alert.rule.timestamp_override
|
Type: keyword |
signal.rule.to
|
kibana.alert.rule.to
|
Type: keyword |
signal.rule.type
|
kibana.alert.rule.type
|
Type: keyword |
signal.rule.updated_at
|
kibana.alert.rule.updated_at
|
Type: date |
signal.rule.updated_by
|
kibana.alert.rule.updated_by
|
Type: keyword |
signal.rule.version
|
kibana.alert.rule.version
|
A number that represents a rule’s version.
Type: keyword |
N/A |
kibana.alert.rule.revision
|
A number that gets incremented each time you edit a rule.
Type: long |
signal.status
|
kibana.alert.workflow_status
|
Type: keyword |
N/A |
kibana.alert.workflow_status_updated_at
|
The timestamp of when the alert’s status was last updated.
Type: date |
signal.threshold_result.*
|
kibana.alert.threshold_result.*
|
Type: object |
signal.group.id
|
kibana.alert.group.id
|
Type: keyword |
signal.group.index
|
kibana.alert.group.index
|
Type: integer |
signal.rule.index
|
kibana.alert.rule.parameters.index
|
Type: flattened |
signal.rule.language
|
kibana.alert.rule.parameters.language
|
Type: flattened |
signal.rule.query
|
kibana.alert.rule.parameters.query
|
Type: flattened |
signal.rule.risk_score_mapping
|
kibana.alert.rule.parameters.risk_score_mapping
|
Type: flattened |
signal.rule.saved_id
|
kibana.alert.rule.parameters.saved_id
|
Type: flattened |
signal.rule.severity_mapping
|
kibana.alert.rule.parameters.severity_mapping
|
Type: flattened |
signal.rule.threat_filters
|
kibana.alert.rule.parameters.threat_filters
|
Type: flattened |
signal.rule.threat_index
|
kibana.alert.rule.parameters.threat_index
|
Names of the indicator indices.
Type: flattened |
signal.rule.threat_indicator_path
|
kibana.alert.rule.parameters.threat_indicator_path
|
Type: flattened |
signal.rule.threat_language
|
kibana.alert.rule.parameters.threat_language
|
Type: flattened |
signal.rule.threat_mapping.*
|
kibana.alert.rule.parameters.threat_mapping.*
|
Controls which fields will be compared in the indicator and source documents.
Type: flattened |
signal.rule.threat_query
|
kibana.alert.rule.parameters.threat_query
|
Type: flattened |
signal.rule.threshold.*
|
kibana.alert.rule.parameters.threshold.*
|
Type: flattened |
N/A |
kibana.space_ids
|
Type: keyword |
N/A |
kibana.alert.rule.consumer
|
Type: keyword |
N/A |
kibana.alert.status
|
Type: keyword |
N/A |
kibana.alert.rule.category
|
Type: keyword |
N/A |
kibana.alert.rule.execution.uuid
|
Type: keyword |
N/A |
kibana.alert.rule.producer
|
Type: keyword |
N/A |
kibana.alert.rule.rule_type_id
|
Type: keyword |
N/A |
kibana.alert.suppression.terms.field
|
The fields used to group alerts for suppression.
Type: keyword |
N/A |
kibana.alert.suppression.terms.value
|
The values in the suppression fields.
Type: keyword |
N/A |
kibana.alert.suppression.start
|
The timestamp of the first document in the suppression group.
Type: date |
N/A |
kibana.alert.suppression.end
|
The timestamp of the last document in the suppression group.
Type: date |
N/A |
kibana.alert.suppression.docs_count
|
The number of suppressed alerts.
Type: long |
N/A |
kibana.alert.url
|
The shareable URL for the alert.
This field only appears if you’ve set the server.publicBaseUrl configuration setting in the kibana.yml file.
Type: long
|
N/A |
kibana.alert.workflow_tags
|
List of tags added to an alert.
This field can contain an array of values, for example: ["False Positive", "production"]
Type: keyword
|
N/A |
kibana.alert.workflow_assignee_ids
|
List of users assigned to an alert.
An array of unique identifiers (UIDs) for user profiles, for example: ["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]
UIDs are linked to user profiles that are automatically created when users first log into a deployment. These profiles contain names, emails, profile avatars, and other user settings.
Type: string[]
|