Alert schema

edit

Elastic Security stores alerts that have been generated by detection rules in hidden Elasticsearch indices. The index pattern is .alerts-security.alerts-<space-id->.

Users are advised NOT to use the _source field in alert documents, but rather to use the fields option in the search API to programmatically obtain the list of fields used in these documents. Learn more about retrieving selected fields from a search.

The non-ECS fields listed below are beta and subject to change.

Alert field Description

@timestamp

ECS field, represents the time when the alert was created or most recently updated.

message

ECS field copied from the source document, if present, for custom query and indicator match rules.

tags

ECS field copied from the source document, if present, for custom query and indicator match rules.

labels

ECS field copied from the source document, if present, for custom query and indicator match rules.

ecs.version

ECS mapping version of the alert.

event.kind

ECS field, always signal for alert documents.

event.category

ECS field, copied from the source document, if present, for custom query and indicator match rules.

event.type

ECS field, copied from the source document, if present, for custom query and indicator match rules.

event.outcome

ECS field, copied from the source document, if present, for custom query and indicator match rules.

agent.*

ECS agent.* fields copied from the source document, if present, for custom query and indicator match rules.

client.*

ECS client.* fields copied from the source document, if present, for custom query and indicator match rules.

cloud.*

ECS cloud.* fields copied from the source document, if present, for custom query and indicator match rules.

container.*

ECS container.* fields copied from the source document, if present, for custom query and indicator match rules.

data_stream.*

ECS data_stream.* fields copied from the source document, if present, for custom query and indicator match rules.

These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords.

destination.*

ECS destination.* fields copied from the source document, if present, for custom query and indicator match rules.

dll.*

ECS dll.* fields copied from the source document, if present, for custom query and indicator match rules.

dns.*

ECS dns.* fields copied from the source document, if present, for custom query and indicator match rules.

error.*

ECS error.* fields copied from the source document, if present, for custom query and indicator match rules.

event.*

ECS event.* fields copied from the source document, if present, for custom query and indicator match rules.

categorization fields above (event.kind, event.category, event.type, event.outcome) are listed separately above.

file.*

ECS file.* fields copied from the source document, if present, for custom query and indicator match rules.

group.*

ECS group.* fields copied from the source document, if present, for custom query and indicator match rules.

host.*

ECS host.* fields copied from the source document, if present, for custom query and indicator match rules.

http.*

ECS http.* fields copied from the source document, if present, for custom query and indicator match rules.

log.*

ECS log.* fields copied from the source document, if present, for custom query and indicator match rules.

network.*

ECS network.* fields copied from the source document, if present, for custom query and indicator match rules.

observer.*

ECS observer.* fields copied from the source document, if present, for custom query and indicator match rules.

orchestrator.*

ECS orchestrator.* fields copied from the source document, if present, for custom query and indicator match rules.

organization.*

ECS organization.* fields copied from the source document, if present, for custom query and indicator match rules.

package.*

ECS package.* fields copied from the source document, if present, for custom query and indicator match rules.

process.*

ECS process.* fields copied from the source document, if present, for custom query and indicator match rules.

registry.*

ECS registry.* fields copied from the source document, if present, for custom query and indicator match rules.

related.*

ECS related.* fields copied from the source document, if present, for custom query and indicator match rules.

rule.*

ECS rule.* fields copied from the source document, if present, for custom query and indicator match rules.

These fields are not related to the detection rule that generated the alert.

server.*

ECS server.* fields copied from the source document, if present, for custom query and indicator match rules.

service.*

ECS service.* fields copied from the source document, if present, for custom query and indicator match rules.

source.*

ECS source.* fields copied from the source document, if present, for custom query and indicator match rules.

span.*

ECS span.* fields copied from the source document, if present, for custom query and indicator match rules.

threat.*

ECS threat.* fields copied from the source document, if present, for custom query and indicator match rules.

tls.*

ECS tls.* fields copied from the source document, if present, for custom query and indicator match rules.

trace.*

ECS trace.* fields copied from the source document, if present, for custom query and indicator match rules.

transaction.*

ECS transaction.* fields copied from the source document, if present, for custom query and indicator match rules.

url.*

ECS url.* fields copied from the source document, if present, for custom query and indicator match rules.

user.*

ECS user.* fields copied from the source document, if present, for custom query and indicator match rules.

user_agent.*

ECS user_agent.* fields copied from the source document, if present, for custom query and indicator match rules.

vulnerability.*

ECS vulnerability.* fields copied from the source document, if present, for custom query and indicator match rules.

kibana.alert.ancestors.*

Type: object

kibana.alert.depth

Type: Long

kibana.alert.new_terms

The value of the new term that generated this alert.

Type: keyword

kibana.alert.original_event.*

Type: object

kibana.alert.original_time

The value copied from the source event (@timestamp).

Type: date

kibana.alert.reason

Type: keyword

kibana.alert.rule.author

The value of the author who created the rule. Refer to configure advanced rule settings.

Type: keyword

kibana.alert.building_block_type

The value of building_block_type from the rule that generated this alert. Refer to configure advanced rule settings.

Type: keyword

kibana.alert.rule.created_at

The value of created.at from the rule that generated this alert.

Type: date

kibana.alert.rule.created_by

Type: keyword

kibana.alert.rule.description

Type: keyword

kibana.alert.rule.enabled

Type: keyword

kibana.alert.rule.false_positives

Type: keyword

kibana.alert.rule.from

Type: keyword

kibana.alert.rule.uuid

Type: keyword

kibana.alert.rule.immutable

Type: keyword

kibana.alert.rule.interval

Type: keyword

kibana.alert.rule.license

Type: keyword

kibana.alert.rule.max_signals

Type: long

kibana.alert.rule.name

Type: keyword

kibana.alert.rule.note

Type: keyword

kibana.alert.rule.references

Type: keyword

kibana.alert.risk_score

Type: float

kibana.alert.rule.rule_id

Type: keyword

kibana.alert.rule.rule_name_override

Type: keyword

kibana.alert.severity

Alert severity, populated by the rule_type at alert creation. Must have a value of low, medium, high, critical.

Type: keyword

kibana.alert.rule.tags

Type: keyword

kibana.alert.rule.threat.*

Type: object

kibana.alert.rule.timeline_id

Type: keyword

kibana.alert.rule.timeline_title

Type: keyword

kibana.alert.rule.timestamp_override

Type: keyword

kibana.alert.rule.to

Type: keyword

kibana.alert.rule.type

Type: keyword

kibana.alert.rule.updated_at

Type: date

kibana.alert.rule.updated_by

Type: keyword

kibana.alert.rule.version

A number that represents a rule’s version.

Type: keyword

kibana.alert.rule.revision

A number that gets incremented each time you edit a rule.

Type: long

kibana.alert.workflow_status

Type: keyword

kibana.alert.workflow_status_updated_at

The timestamp of when the alert’s status was last updated.

Type: date

kibana.alert.threshold_result.*

Type: object

kibana.alert.group.id

Type: keyword

kibana.alert.group.index

Type: integer

kibana.alert.rule.parameters.index

Type: flattened

kibana.alert.rule.parameters.language

Type: flattened

kibana.alert.rule.parameters.query

Type: flattened

kibana.alert.rule.parameters.risk_score_mapping

Type: flattened

kibana.alert.rule.parameters.saved_id

Type: flattened

kibana.alert.rule.parameters.severity_mapping

Type: flattened

kibana.alert.rule.parameters.threat_filters

Type: flattened

kibana.alert.rule.parameters.threat_index

Names of the indicator indices.

Type: flattened

kibana.alert.rule.parameters.threat_indicator_path

Type: flattened

kibana.alert.rule.parameters.threat_language

Type: flattened

kibana.alert.rule.parameters.threat_mapping.*

Controls which fields will be compared in the indicator and source documents.

Type: flattened

kibana.alert.rule.parameters.threat_query

Type: flattened

kibana.alert.rule.parameters.threshold.*

Type: flattened

kibana.space_ids

Type: keyword

kibana.alert.rule.consumer

Type: keyword

kibana.alert.status

Type: keyword

kibana.alert.rule.category

Type: keyword

kibana.alert.rule.execution.uuid

Type: keyword

kibana.alert.rule.producer

Type: keyword

kibana.alert.rule.rule_type_id

Type: keyword

kibana.alert.suppression.terms.field

The fields used to group alerts for suppression.

Type: keyword

kibana.alert.suppression.terms.value

The values in the suppression fields.

Type: keyword

kibana.alert.suppression.start

The timestamp of the first document in the suppression group.

Type: date

kibana.alert.suppression.end

The timestamp of the last document in the suppression group.

Type: date

kibana.alert.suppression.docs_count

The number of suppressed alerts.

Type: long

kibana.alert.url

The shareable URL for the alert.

This field only appears if you’ve set the server.publicBaseUrl configuration setting in the kibana.yml file.

Type: long

kibana.alert.workflow_tags

List of tags added to an alert.

This field can contain an array of values, for example: ["False Positive", "production"]

Type: keyword

kibana.alert.workflow_assignee_ids

List of users assigned to an alert.

An array of unique identifiers (UIDs) for user profiles, for example: ["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]

UIDs are linked to user profiles that are automatically created when users first log into a project. These profiles contain names, emails, profile avatars, and other user settings.

Type: string[]

kibana.alert.intended_timestamp

Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run:

  • Scheduled run: Alerts created by scheduled runs have the same timestamp as the @timestamp field, which shows when the alert was created.
  • Manual run: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from 10/01/2024 05:00 PM to 10/07/2024 05:00 PM, the kibana.alert.intended_timestamp value will be a date and time within that range.

Type: date

kibana.alert.rule.execution.type

Shows if an alert was created by a manual run or a scheduled run. The value can be manual or scheduled.

Type: keyword