Alert schema

edit

Elastic Security stores alerts that have been generated by detection rules in hidden Elasticsearch indices. In 8.x versions, the index pattern is .alerts-security.alerts-<space-id->. In 7.x versions, the index pattern was .siem-signals-<space-id>, and some field names were different. The following table includes the current names and cross-references the legacy field names.

Users are advised NOT to use the _source field in alert documents, but rather to use the fields option in the search API to programmatically obtain the list of fields used in these documents. Learn more about retrieving selected fields from a search.

The non-ECS fields listed below are beta and subject to change.

7.x signal field 8.x alert field Description

@timestamp

@timestamp

ECS field, represents the time when the alert was created or most recently updated.

message

message

ECS field copied from the source document, if present, for custom query and indicator match rules.

tags

tags

ECS field copied from the source document, if present, for custom query and indicator match rules.

labels

labels

ECS field copied from the source document, if present, for custom query and indicator match rules.

ecs.version

ecs.version

ECS mapping version of the alert.

event.kind

event.kind

ECS field, always signal for alert documents.

event.category

event.category

ECS field, copied from the source document, if present, for custom query and indicator match rules.

event.type

event.type

ECS field, copied from the source document, if present, for custom query and indicator match rules.

event.outcome

event.outcome

ECS field, copied from the source document, if present, for custom query and indicator match rules.

agent.*

agent.*

ECS agent.* fields copied from the source document, if present, for custom query and indicator match rules.

client.*

client.*

ECS client.* fields copied from the source document, if present, for custom query and indicator match rules.

cloud.*

cloud.*

ECS cloud.* fields copied from the source document, if present, for custom query and indicator match rules.

container.*

container.*

ECS container.* fields copied from the source document, if present, for custom query and indicator match rules.

data_stream.*

data_stream.*

ECS data_stream.* fields copied from the source document, if present, for custom query and indicator match rules.

NOTE: These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords.

destination.*

destination.*

ECS destination.* fields copied from the source document, if present, for custom query and indicator match rules.

dll.*

dll.*

ECS dll.* fields copied from the source document, if present, for custom query and indicator match rules.

dns.*

dns.*

ECS dns.* fields copied from the source document, if present, for custom query and indicator match rules.

error.*

error.*

ECS error.* fields copied from the source document, if present, for custom query and indicator match rules.

event.*

event.*

ECS event.* fields copied from the source document, if present, for custom query and indicator match rules.

NOTE: categorization fields above (event.kind, event.category, event.type, event.outcome) are listed separately above.

file.*

file.*

ECS file.* fields copied from the source document, if present, for custom query and indicator match rules.

group.*

group.*

ECS group.* fields copied from the source document, if present, for custom query and indicator match rules.

host.*

host.*

ECS host.* fields copied from the source document, if present, for custom query and indicator match rules.

http.*

http.*

ECS http.* fields copied from the source document, if present, for custom query and indicator match rules.

log.*

log.*

ECS log.* fields copied from the source document, if present, for custom query and indicator match rules.

network.*

network.*

ECS network.* fields copied from the source document, if present, for custom query and indicator match rules.

observer.*

observer.*

ECS observer.* fields copied from the source document, if present, for custom query and indicator match rules.

orchestrator.*

orchestrator.*

ECS orchestrator.* fields copied from the source document, if present, for custom query and indicator match rules.

organization.*

organization.*

ECS organization.* fields copied from the source document, if present, for custom query and indicator match rules.

package.*

package.*

ECS package.* fields copied from the source document, if present, for custom query and indicator match rules.

process.*

process.*

ECS process.* fields copied from the source document, if present, for custom query and indicator match rules.

registry.*

registry.*

ECS registry.* fields copied from the source document, if present, for custom query and indicator match rules.

related.*

related.*

ECS related.* fields copied from the source document, if present, for custom query and indicator match rules.

rule.*

rule.*

ECS rule.* fields copied from the source document, if present, for custom query and indicator match rules.

NOTE: These fields are not related to the detection rule that generated the alert.

server.*

server.*

ECS server.* fields copied from the source document, if present, for custom query and indicator match rules.

service.*

service.*

ECS service.* fields copied from the source document, if present, for custom query and indicator match rules.

source.*

source.*

ECS source.* fields copied from the source document, if present, for custom query and indicator match rules.

span.*

span.*

ECS span.* fields copied from the source document, if present, for custom query and indicator match rules.

threat.*

threat.*

ECS threat.* fields copied from the source document, if present, for custom query and indicator match rules.

tls.*

tls.*

ECS tls.* fields copied from the source document, if present, for custom query and indicator match rules.

trace.*

trace.*

ECS trace.* fields copied from the source document, if present, for custom query and indicator match rules.

transaction.*

transaction.*

ECS transaction.* fields copied from the source document, if present, for custom query and indicator match rules.

url.*

url.*

ECS url.* fields copied from the source document, if present, for custom query and indicator match rules.

user.*

user.*

ECS user.* fields copied from the source document, if present, for custom query and indicator match rules.

user_agent.*

user_agent.*

ECS user_agent.* fields copied from the source document, if present, for custom query and indicator match rules.

vulnerability.*

vulnerability.*

ECS vulnerability.* fields copied from the source document, if present, for custom query and indicator match rules.

signal.ancestors.*

kibana.alert.ancestors.*

Type: object

signal.depth

kibana.alert.depth

Type: Long

N/A

kibana.alert.new_terms

The value of the new term that generated this alert.

Type: keyword

signal.original_event.*

kibana.alert.original_event.*

Type: object

signal.original_time

kibana.alert.original_time

The value copied from the source event (@timestamp).

Type: date

signal.reason

kibana.alert.reason

Type: keyword

signal.rule.author

kibana.alert.rule.author

The value of the author who created the rule. Refer to configure advanced rule settings.

Type: keyword

signal.rule.building_block_type

kibana.alert.building_block_type

The value of building_block_type from the rule that generated this alert. Refer to configure advanced rule settings.

Type: keyword

signal.rule.created_at

kibana.alert.rule.created_at

The value of created.at from the rule that generated this alert.

Type: date

signal.rule.created_by

kibana.alert.rule.created_by

Type: keyword

signal.rule.description

kibana.alert.rule.description

Type: keyword

signal.rule.enabled

kibana.alert.rule.enabled

Type: keyword

signal.rule.false_positives

kibana.alert.rule.false_positives

Type: keyword

signal.rule.from

kibana.alert.rule.from

Type: keyword

signal.rule.id

kibana.alert.rule.uuid

Type: keyword

signal.rule.immutable

kibana.alert.rule.immutable

Type: keyword

signal.rule.interval

kibana.alert.rule.interval

Type: keyword

signal.rule.license

kibana.alert.rule.license

Type: keyword

signal.rule.max_signals

kibana.alert.rule.max_signals

Type: long

signal.rule.name

kibana.alert.rule.name

Type: keyword

signal.rule.note

kibana.alert.rule.note

Type: keyword

signal.rule.references

kibana.alert.rule.references

Type: keyword

signal.rule.risk_score

kibana.alert.risk_score

Type: float

signal.rule.rule_id

kibana.alert.rule.rule_id

Type: keyword

signal.rule.rule_name_override

kibana.alert.rule.rule_name_override

Type: keyword

signal.rule.severity

kibana.alert.severity

Alert severity, populated by the rule_type at alert creation. Must have a value of low, medium, high, critical.

Type: keyword

signal.rule.tags

kibana.alert.rule.tags

Type: keyword

signal.rule.threat.*

kibana.alert.rule.threat.*

Type: object

signal.rule.timeline_id

kibana.alert.rule.timeline_id

Type: keyword

signal.rule.timeline_title

kibana.alert.rule.timeline_title

Type: keyword

signal.rule.timestamp_override

kibana.alert.rule.timestamp_override

Type: keyword

signal.rule.to

kibana.alert.rule.to

Type: keyword

signal.rule.type

kibana.alert.rule.type

Type: keyword

signal.rule.updated_at

kibana.alert.rule.updated_at

Type: date

signal.rule.updated_by

kibana.alert.rule.updated_by

Type: keyword

signal.rule.version

kibana.alert.rule.version

A number that represents a rule’s version.

Type: keyword

N/A

kibana.alert.rule.revision

A number that gets incremented each time you edit a rule.

Type: long

signal.status

kibana.alert.workflow_status

Type: keyword

N/A

kibana.alert.workflow_status_updated_at

The timestamp of when the alert’s status was last updated.

Type: date

signal.threshold_result.*

kibana.alert.threshold_result.*

Type: object

signal.group.id

kibana.alert.group.id

Type: keyword

signal.group.index

kibana.alert.group.index

Type: integer

signal.rule.index

kibana.alert.rule.parameters.index

Type: flattened

signal.rule.language

kibana.alert.rule.parameters.language

Type: flattened

signal.rule.query

kibana.alert.rule.parameters.query

Type: flattened

signal.rule.risk_score_mapping

kibana.alert.rule.parameters.risk_score_mapping

Type: flattened

signal.rule.saved_id

kibana.alert.rule.parameters.saved_id

Type: flattened

signal.rule.severity_mapping

kibana.alert.rule.parameters.severity_mapping

Type: flattened

signal.rule.threat_filters

kibana.alert.rule.parameters.threat_filters

Type: flattened

signal.rule.threat_index

kibana.alert.rule.parameters.threat_index

Names of the indicator indices.

Type: flattened

signal.rule.threat_indicator_path

kibana.alert.rule.parameters.threat_indicator_path

Type: flattened

signal.rule.threat_language

kibana.alert.rule.parameters.threat_language

Type: flattened

signal.rule.threat_mapping.*

kibana.alert.rule.parameters.threat_mapping.*

Controls which fields will be compared in the indicator and source documents.

Type: flattened

signal.rule.threat_query

kibana.alert.rule.parameters.threat_query

Type: flattened

signal.rule.threshold.*

kibana.alert.rule.parameters.threshold.*

Type: flattened

N/A

kibana.space_ids

Type: keyword

N/A

kibana.alert.rule.consumer

Type: keyword

N/A

kibana.alert.status

Type: keyword

N/A

kibana.alert.rule.category

Type: keyword

N/A

kibana.alert.rule.execution.uuid

Type: keyword

N/A

kibana.alert.rule.producer

Type: keyword

N/A

kibana.alert.rule.rule_type_id

Type: keyword

N/A

kibana.alert.suppression.terms.field

The fields used to group alerts for suppression.

Type: keyword

N/A

kibana.alert.suppression.terms.value

The values in the suppression fields.

Type: keyword

N/A

kibana.alert.suppression.start

The timestamp of the first document in the suppression group.

Type: date

N/A

kibana.alert.suppression.end

The timestamp of the last document in the suppression group.

Type: date

N/A

kibana.alert.suppression.docs_count

The number of suppressed alerts.

Type: long

N/A

kibana.alert.url

The shareable URL for the alert.

This field only appears if you’ve set the server.publicBaseUrl configuration setting in the kibana.yml file.

Type: long

N/A

kibana.alert.workflow_tags

List of tags added to an alert.

This field can contain an array of values, for example: ["False Positive", "production"]

Type: keyword

N/A

kibana.alert.workflow_assignee_ids

List of users assigned to an alert.

An array of unique identifiers (UIDs) for user profiles, for example: ["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]

UIDs are linked to user profiles that are automatically created when users first log into a deployment. These profiles contain names, emails, profile avatars, and other user settings.

Type: string[]

N/A

kibana.alert.intended_timestamp

Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run:

  • Scheduled run: Alerts created by scheduled runs have the same timestamp as the @timestamp field, which shows when the alert was created.
  • Manual run: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from 10/01/2024 05:00 PM to 10/07/2024 05:00 PM, the kibana.alert.intended_timestamp value will be a date and time within that range.

Type: date

N/A

kibana.alert.rule.execution.type

Shows if an alert was created by a manual run or a scheduled run. The value can be manual or scheduled.

Type: keyword