ECS Field Reference

edit

This is the documentation of ECS version 9.0.0-dev.

ECS defines multiple groups of related fields. They are called "field sets". The Base field set is the only one whose fields are defined at the root of the event.

All other field sets are defined as objects in Elasticsearch, under which all fields are defined.

For a single page representation of all fields, please see the generated CSV of fields.

Field Sets

edit
Field Set Description

Base

All fields defined directly at the root of the events.

Agent

Fields about the monitoring agent.

Autonomous System

Fields describing an Autonomous System (Internet routing prefix).

Client

Fields about the client side of a network connection, used with server.

Cloud

Fields about the cloud resource.

Code Signature

These fields contain information about binary code signatures.

Container

Fields describing the container that generated this event.

Data Stream

The data_stream fields take part in defining the new data stream naming scheme.

Destination

Fields about the destination side of a network connection, used with source.

Device

Fields characterizing a (mobile) device a process or application is running on.

DLL

These fields contain information about code libraries dynamically loaded into processes.

DNS

Fields describing DNS queries and answers.

ECS

Meta-information specific to ECS.

ELF Header

These fields contain Linux Executable Linkable Format (ELF) metadata.

Email

Describes an email transaction.

Error

Fields about errors of any kind.

Event

Fields breaking down the event details.

FaaS

Fields describing functions as a service.

File

Fields describing files.

Geo

Fields describing a location.

Group

User’s group relevant to the event.

Hash

Hashes, usually file hashes.

Host

Fields describing the relevant computing instance.

HTTP

Fields describing an HTTP request.

Interface

Fields to describe observer interface information.

Log

Details about the event’s logging mechanism.

Mach-O Header

These fields contain Mac OS Mach Object file format (Mach-O) metadata.

Network

Fields describing the communication path over which the event happened.

Observer

Fields describing an entity observing the event from outside the host.

Orchestrator

Fields relevant to container orchestrators.

Organization

Fields describing the organization or company the event is associated with.

Operating System

OS fields contain information about the operating system.

Package

These fields contain information about an installed software package.

PE Header

These fields contain Windows Portable Executable (PE) metadata.

Process

These fields contain information about a process.

Registry

Fields related to Windows Registry operations.

Related

Fields meant to facilitate pivoting around a piece of data.

Risk information

Fields for describing risk score and level.

Rule

Fields to capture details about rules used to generate alerts or other notable events.

Server

Fields about the server side of a network connection, used with client.

Service

Fields describing the service for or from which the data was collected.

Source

Fields about the source side of a network connection, used with destination.

Threat

Fields to classify events and alerts according to a threat taxonomy.

TLS

Fields describing a TLS connection.

Tracing

Fields related to distributed tracing.

URL

Fields that let you store URLs in various forms.

User

Fields to describe the user relevant to the event.

User agent

Fields to describe a browser user_agent string.

VLAN

Fields to describe observed VLAN information.

Volume

Fields related to storage volume details.

Vulnerability

Fields to describe the vulnerability relevant to an event.

x509 Certificate

These fields contain x509 certificate metadata.