- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Error Fields
- Event Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
Geo Fields
editGeo Fields
editGeo fields can carry data about a specific location related to an event.
This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
Geo Field Details
editField | Description | Level |
---|---|---|
City name. type: keyword example: |
core |
|
Two-letter code representing continent’s name. type: keyword example: |
core |
|
Name of the continent. type: keyword example: |
core |
|
Country ISO code. type: keyword example: |
core |
|
Country name. type: keyword example: |
core |
|
Longitude and latitude. type: geo_point example: |
core |
|
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. type: keyword example: |
extended |
|
Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword example: |
core |
|
Region ISO code. type: keyword example: |
core |
|
Region name. type: keyword example: |
core |
|
The time zone of the location, such as IANA time zone name. type: keyword example: |
core |
Field Reuse
editThe geo
fields are expected to be nested at:
-
client.geo
-
destination.geo
-
host.geo
-
observer.geo
-
server.geo
-
source.geo
-
threat.enrichments.indicator.geo
-
threat.indicator.geo
Note also that the geo
fields are not expected to be used directly at the root of the events.
On this page