@timestamp
|
ECS field, represents the time when the alert was created or most recently updated. |
message
|
ECS field copied from the source document, if present, for custom query and indicator match rules. |
tags
|
ECS field copied from the source document, if present, for custom query and indicator match rules. |
labels
|
ECS field copied from the source document, if present, for custom query and indicator match rules. |
ecs.version
|
ECS mapping version of the alert. |
event.kind
|
ECS field, always signal for alert documents. |
event.category
|
ECS field, copied from the source document, if present, for custom query and indicator match rules. |
event.type
|
ECS field, copied from the source document, if present, for custom query and indicator match rules. |
event.outcome
|
ECS field, copied from the source document, if present, for custom query and indicator match rules. |
agent.*
|
ECS agent.* fields copied from the source document, if present, for custom query and indicator match rules. |
client.*
|
ECS client.* fields copied from the source document, if present, for custom query and indicator match rules. |
cloud.*
|
ECS cloud.* fields copied from the source document, if present, for custom query and indicator match rules. |
container.*
|
ECS container.* fields copied from the source document, if present, for custom query and indicator match rules. |
data_stream.*
|
ECS data_stream.* fields copied from the source document, if present, for custom query and indicator match rules.
These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords.
|
destination.*
|
ECS destination.* fields copied from the source document, if present, for custom query and indicator match rules. |
dll.*
|
ECS dll.* fields copied from the source document, if present, for custom query and indicator match rules. |
dns.*
|
ECS dns.* fields copied from the source document, if present, for custom query and indicator match rules. |
error.*
|
ECS error.* fields copied from the source document, if present, for custom query and indicator match rules. |
event.*
|
ECS event.* fields copied from the source document, if present, for custom query and indicator match rules.
categorization fields above (event.kind, event.category, event.type, event.outcome) are listed separately above.
|
file.*
|
ECS file.* fields copied from the source document, if present, for custom query and indicator match rules. |
group.*
|
ECS group.* fields copied from the source document, if present, for custom query and indicator match rules. |
host.*
|
ECS host.* fields copied from the source document, if present, for custom query and indicator match rules. |
http.*
|
ECS http.* fields copied from the source document, if present, for custom query and indicator match rules. |
log.*
|
ECS log.* fields copied from the source document, if present, for custom query and indicator match rules. |
network.*
|
ECS network.* fields copied from the source document, if present, for custom query and indicator match rules. |
observer.*
|
ECS observer.* fields copied from the source document, if present, for custom query and indicator match rules. |
orchestrator.*
|
ECS orchestrator.* fields copied from the source document, if present, for custom query and indicator match rules. |
organization.*
|
ECS organization.* fields copied from the source document, if present, for custom query and indicator match rules. |
package.*
|
ECS package.* fields copied from the source document, if present, for custom query and indicator match rules. |
process.*
|
ECS process.* fields copied from the source document, if present, for custom query and indicator match rules. |
registry.*
|
ECS registry.* fields copied from the source document, if present, for custom query and indicator match rules. |
related.*
|
ECS related.* fields copied from the source document, if present, for custom query and indicator match rules. |
rule.*
|
ECS rule.* fields copied from the source document, if present, for custom query and indicator match rules.
These fields are not related to the detection rule that generated the alert.
|
server.*
|
ECS server.* fields copied from the source document, if present, for custom query and indicator match rules. |
service.*
|
ECS service.* fields copied from the source document, if present, for custom query and indicator match rules. |
source.*
|
ECS source.* fields copied from the source document, if present, for custom query and indicator match rules. |
span.*
|
ECS span.* fields copied from the source document, if present, for custom query and indicator match rules. |
threat.*
|
ECS threat.* fields copied from the source document, if present, for custom query and indicator match rules. |
tls.*
|
ECS tls.* fields copied from the source document, if present, for custom query and indicator match rules. |
trace.*
|
ECS trace.* fields copied from the source document, if present, for custom query and indicator match rules. |
transaction.*
|
ECS transaction.* fields copied from the source document, if present, for custom query and indicator match rules. |
url.*
|
ECS url.* fields copied from the source document, if present, for custom query and indicator match rules. |
user.*
|
ECS user.* fields copied from the source document, if present, for custom query and indicator match rules. |
user_agent.*
|
ECS user_agent.* fields copied from the source document, if present, for custom query and indicator match rules. |
vulnerability.*
|
ECS vulnerability.* fields copied from the source document, if present, for custom query and indicator match rules. |
kibana.alert.ancestors.*
|
Type: object |
kibana.alert.depth
|
Type: Long |
kibana.alert.new_terms
|
The value of the new term that generated this alert.
Type: keyword
|
kibana.alert.original_event.*
|
Type: object |
kibana.alert.original_time
|
The value copied from the source event (@timestamp).
Type: date
|
kibana.alert.reason
|
Type: keyword |
kibana.alert.rule.author
|
The value of the author who created the rule. Refer to configure advanced rule settings.
Type: keyword
|
kibana.alert.building_block_type
|
The value of building_block_type from the rule that generated this alert. Refer to configure advanced rule settings.
Type: keyword
|
kibana.alert.rule.created_at
|
The value of created.at from the rule that generated this alert.
Type: date
|
kibana.alert.rule.created_by
|
Type: keyword |
kibana.alert.rule.description
|
Type: keyword |
kibana.alert.rule.enabled
|
Type: keyword |
kibana.alert.rule.false_positives
|
Type: keyword |
kibana.alert.rule.from
|
Type: keyword |
kibana.alert.rule.uuid
|
Type: keyword |
kibana.alert.rule.immutable
|
Type: keyword |
kibana.alert.rule.interval
|
Type: keyword |
kibana.alert.rule.license
|
Type: keyword |
kibana.alert.rule.max_signals
|
Type: long |
kibana.alert.rule.name
|
Type: keyword |
kibana.alert.rule.note
|
Type: keyword |
kibana.alert.rule.references
|
Type: keyword |
kibana.alert.risk_score
|
Type: float |
kibana.alert.rule.rule_id
|
Type: keyword |
kibana.alert.rule.rule_name_override
|
Type: keyword |
kibana.alert.severity
|
Alert severity, populated by the rule_type at alert creation. Must have a value of low, medium, high, critical.
Type: keyword
|
kibana.alert.rule.tags
|
Type: keyword |
kibana.alert.rule.threat.*
|
Type: object |
kibana.alert.rule.timeline_id
|
Type: keyword |
kibana.alert.rule.timeline_title
|
Type: keyword |
kibana.alert.rule.timestamp_override
|
Type: keyword |
kibana.alert.rule.to
|
Type: keyword |
kibana.alert.rule.type
|
Type: keyword |
kibana.alert.rule.updated_at
|
Type: date |
kibana.alert.rule.updated_by
|
Type: keyword |
kibana.alert.rule.version
|
A number that represents a rule’s version.
Type: keyword
|
kibana.alert.rule.revision
|
A number that gets incremented each time you edit a rule.
Type: long
|
kibana.alert.workflow_status
|
Type: keyword |
kibana.alert.workflow_status_updated_at
|
The timestamp of when the alert’s status was last updated.
Type: date
|
kibana.alert.threshold_result.*
|
Type: object |
kibana.alert.group.id
|
Type: keyword |
kibana.alert.group.index
|
Type: integer |
kibana.alert.rule.parameters.index
|
Type: flattened |
kibana.alert.rule.parameters.language
|
Type: flattened |
kibana.alert.rule.parameters.query
|
Type: flattened |
kibana.alert.rule.parameters.risk_score_mapping
|
Type: flattened |
kibana.alert.rule.parameters.saved_id
|
Type: flattened |
kibana.alert.rule.parameters.severity_mapping
|
Type: flattened |
kibana.alert.rule.parameters.threat_filters
|
Type: flattened |
kibana.alert.rule.parameters.threat_index
|
Names of the indicator indices.
Type: flattened
|
kibana.alert.rule.parameters.threat_indicator_path
|
Type: flattened |
kibana.alert.rule.parameters.threat_language
|
Type: flattened |
kibana.alert.rule.parameters.threat_mapping.*
|
Controls which fields will be compared in the indicator and source documents.
Type: flattened
|
kibana.alert.rule.parameters.threat_query
|
Type: flattened |
kibana.alert.rule.parameters.threshold.*
|
Type: flattened |
kibana.space_ids
|
Type: keyword |
kibana.alert.rule.consumer
|
Type: keyword |
kibana.alert.status
|
Type: keyword |
kibana.alert.rule.category
|
Type: keyword |
kibana.alert.rule.execution.uuid
|
Type: keyword |
kibana.alert.rule.producer
|
Type: keyword |
kibana.alert.rule.rule_type_id
|
Type: keyword |
kibana.alert.suppression.terms.field
|
The fields used to group alerts for suppression.
Type: keyword
|
kibana.alert.suppression.terms.value
|
The values in the suppression fields.
Type: keyword
|
kibana.alert.suppression.start
|
The timestamp of the first document in the suppression group.
Type: date
|
kibana.alert.suppression.end
|
The timestamp of the last document in the suppression group.
Type: date
|
kibana.alert.suppression.docs_count
|
The number of suppressed alerts.
Type: long
|
kibana.alert.url
|
The shareable URL for the alert.
This field only appears if you’ve set the server.publicBaseUrl configuration setting in the kibana.yml file.
Type: long
|
kibana.alert.workflow_tags
|
List of tags added to an alert.
This field can contain an array of values, for example: ["False Positive", "production"]
Type: keyword
|
kibana.alert.workflow_assignee_ids
|
List of users assigned to an alert.
An array of unique identifiers (UIDs) for user profiles, for example: ["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]
UIDs are linked to user profiles that are automatically created when users first log into a project. These profiles contain names, emails, profile avatars, and other user settings.
Type: string[]
|
kibana.alert.intended_timestamp
|
Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run:
-
Scheduled run: Alerts created by scheduled runs have the same timestamp as the
@timestamp field, which shows when the alert was created.
-
Manual run: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from
10/01/2024 05:00 PM to 10/07/2024 05:00 PM, the kibana.alert.intended_timestamp value will be a date and time within that range.
Type: date
|
kibana.alert.rule.execution.type
|
Shows if an alert was created by a manual run or a scheduled run. The value can be manual or scheduled.
Type: keyword
|