Parser
Field Standards
Tài liệu chi tiết về các field standards được hỗ trợ
This document provides a comprehensive reference of all supported field standards organized by category. Each field includes its type, description, and mapping information.
| Field Name | Field Set | Type | Description | |
|---|---|---|---|---|
| threat.id | Thread | string | A unique identifier for a specific threat from the original data source or threat intelligence database. Example: A CVE identifier like CVE-2026-001 or an internal ID like TID-5501 | |
| threat.name | Thread | string | The common name of the threat, malware family, or attack campaign identified. Example: Emotet, WannaCry, or Lazarus Group | |
| threat.type | Thread | string | The high-level classification of the threat based on its behavioral characteristics. Example: Malware, Phishing, or Exploit | |
| threat.status | Thread | string | The current state of the threat within the system after detection. Example: detected, blocked, or quarantined | |
| threat.score | Thread | string | A numerical risk or confidence score, typically on a scale from 0 to 100. Example: A score of 90 indicating a high-severity threat. | |
| threat.action | Thread | string | The specific defensive action taken by the security system to mitigate the threat. Example: deleted, alert_only, or connection_dropped | |
| threat.rule | Thread | string | The name or ID of the security rule or policy that triggered the detection. Example: "Suspicious PowerShell Download" or rule ID SIEM-RULE-005 | |
| threat.filename | Thread | string | The name of the file identified as malicious or associated with the threat behavior. Example: invoice.pdf.exe or backdoor.py | |
| threat.category | Thread | string | The technical category of the attack, often mapped to frameworks like MITRE ATT&CK. Example: Persistence or Exfiltration | |
| labels | Base | record | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as string. Example: docker and k8s labels. type: object example: {"application": "foo-bar", "env": "production"} k8s.pod.label container.label | |
| message | Base | string | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. type: match_only_text example: Hello World body Note: The body in OTLP is of type Any and can be either an unstructured log message or a structured event. | |
| tags | Base | string | List of strings used to tag each event. type: string Note: This field should contain an array of values. example: "production", "env2" | |
| agent.id | Agent | string | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. type: string example: 8a4f500d | |
| agent.name | Agent | string | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. type: string example: foo | |
| agent.type | Agent | string | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: string example: filebeat | |
| agent.version | Agent | string | Version of the agent. type: string example: 6.0.0-rc2 | |
| client.ip | Client | string | IP address of the client (IPv4 or IPv6). type: ip | |
| client.port | Client | long | Port of the client. type: long client.port | |
| client.user.name | Client | string | Short name or login of the user. type: string Multi-fields: * user.name.text (type: match_only_text) example: a.einstein user.name | |
| cloud.account.id | Cloud | string | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. type: string example: 666777888999 cloud.account.id | |
| cloud.instance.id | Cloud | string | Instance ID of the host machine. type: string example: i-1234567890abcdef0 | |
| cloud.provider | Cloud | string | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. type: string example: aws cloud.provider | |
| cloud.region | Cloud | string | Region in which this host, resource, or service is located. type: string example: us-east-1 cloud.region | |
| container.id | Container | string | Unique container id. type: string container.id | |
| container.name | Container | string | Container name. type: string container.name | |
| destination.bytes | Destination | long | Bytes sent from the destination to the source. type: long example: 184 | |
| destination.ip | Destination | string | IP address of the destination (IPv4 or IPv6). type: ip | |
| destination.mac | Destination | string | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two uppercase hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: string example: 00-00-5E-00-53-23 | |
| destination.port | Destination | long | Port of the destination. type: long destination.port | |
| destination.as.number | Destination | long | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. type: long example: 15169 | |
| destination.geo.country_iso_code | Destination | string | Country ISO code. type: string example: CA geo.country.iso_code | |
| dns.answers.data | DNS | string | The data describing the resource. The meaning of this data depends on the type and class of the resource record. type: string example: 10.10.10.10 | |
| dns.question.name | DNS | string | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. type: string example: www.example.com dns.question.name | |
| dns.question.type | DNS | string | The type of record being queried. type: string example: AAAA | |
| dns.response_code | DNS | string | The DNS response code. type: string example: NOERROR | |
| ecs.version | ECS | string | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: string example: 1.0.0 Not applicable. | |
| error.code | Error | string | Error code describing the error. type: string | |
| error.message | Error | string | Error message. type: match_only_text exception.message | |
| event.action | Event | string | The action captured by the event. This describes the information in the event. It is more specific than event.category . Examples are group-add , process-started , file-created . The value is normally defined by the implementer. type: string example: user-password-change | |
| event.category | Event | string | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type , which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. type: string Note: This field should contain an array of values. Important: The field value must be one of the following: api, authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, library, malware, network, package, process, registry, session, threat, vulnerability, web To learn more about when to use which value, visit the page allowed values for event.category | |
| event.code | Event | string | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. type: string example: 4648 | |
| event.dataset | Event | string | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: string example: apache.access | |
| event.duration | Event | long | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. type: long | |
| event.id | Event | string | Unique ID to describe the event. type: string example: 8a4f500d | |
| event.kind | Event | string | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. type: string Important: The field value must be one of the following: alert, asset, enrichment, event, metric, state, pipeline_error, signal To learn more about when to use which value, visit the page allowed values for event.kind | |
| event.module | Event | string | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. type: string example: apache | |
| event.outcome | Event | string | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome , according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info , or any events for which an outcome does not make logical sense. type: string Important: The field value must be one of the following: failure, success, unknown To learn more about when to use which value, visit the page allowed values for event.outcome | |
| event.provider | Event | string | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). type: string example: kernel | |
| event.severity | Event | long | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in log.syslog.severity.code . event.severity is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the log.syslog.severity.code to event.severity . type: long example: 7 | |
| event.type | Event | string | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. type: string Note: This field should contain an array of values. Important: The field value must be one of the following: access, admin, allowed, change, connection, creation, deletion, denied, device, end, error, group, indicator, info, installation, protocol, start, user To learn more about when to use which value, visit the page allowed values for event.type | |
| file.created | File | string | File creation time. Note that not all filesystems store the creation time. type: date file.created | |
| file.extension | File | string | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: string example: png file.extension | |
| file.name | File | string | Name of the file including the extension, without the directory. type: string example: example.png file.name | |
| file.owner | File | string | File owner's username. type: string example: alice file.owner.name | |
| file.path | File | string | Full path to the file, including the file name. It should include the drive letter, when appropriate. type: string Multi-fields: * file.path.text (type: match_only_text) example: /home/alice/example.png file.path | |
| file.size | File | long | File size in bytes. Only relevant when file.type is "file". type: long example: 16384 file.size | |
| file.hash.md5 | File | string | MD5 hash. type: string | |
| file.hash.sha256 | File | string | SHA256 hash. type: string | |
| group.id | Group | string | Unique identifier for the group on the system/platform. type: string | |
| group.name | Group | string | Name of the group. type: string | |
| host.architecture | Host | string | Operating system architecture. type: string example: x86_64 host.arch | |
| host.hostname | Host | string | Hostname of the host. It normally contains what the hostname command returns on the host machine. type: string | |
| host.id | Host | string | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . type: string host.id | |
| host.ip | Host | string | Host ip addresses. type: ip Note: This field should contain an array of values. host.ip | |
| host.name | Host | string | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. type: string host.name | |
| host.type | Host | string | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. type: string host.type | |
| host.os.family | Host | string | OS family (such as redhat, debian, freebsd, windows). type: string example: debian | |
| host.os.full | Host | string | Operating system name, including the version or code name. type: string Multi-fields: * os.full.text (type: match_only_text) example: Mac OS Mojave os.description | |
| http.request.body.content | HTTP | string | The full HTTP request body. type: wildcard Multi-fields: * http.request.body.content.text (type: match_only_text) example: Hello world | |
| http.request.method | HTTP | string | HTTP request method. The value should retain its casing from the original event. For example, GET , get , and GeT are all considered valid values for this field. type: string example: POST http.request.method_original http.request.method Note: http.request.method in SemConv is the known, normalized, upper case value of the request method, other than the ECS' http.request.method that retains casing from the original event. | |
| http.request.referrer | HTTP | string | Referrer for this HTTP request. type: string example: https://blog.example.com/ | |
| http.response.status_code | HTTP | long | HTTP response status code. type: long example: 404 http.response.status_code | |
| http.version | HTTP | string | HTTP version. type: string example: 1.1 network.protocol.name network.protocol.version Note: In OTel SemConv, network.protocol.version specifies the HTTP version if the value of network.protocol.name is http . | |
| log.file.path | Log | string | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. type: string example: /var/log/fun-times.log log.file.path | |
| log.level | Log | string | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in log.level . If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are warn , err , i , informational . type: string example: error severity_text | |
| log.logger | Log | string | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. type: string example: org.elasticsearch.bootstrap.Bootstrap | |
| network.bytes | Network | long | Total bytes transferred in both directions. If source.bytes and destination.bytes are known, network.bytes is their sum. type: long example: 368 | |
| network.community_id | Network | string | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. type: string example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= | |
| network.direction | Network | string | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. Expected values for this field: * ingress * egress * inbound * outbound * internal * external * unknown type: string example: inbound | |
| network.iana_number | Network | string | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: string example: 6 | |
| network.packets | Network | long | Total packets transferred in both directions. If source.packets and destination.packets are known, network.packets is their sum. type: long example: 24 | |
| network.protocol | Network | string | In the OSI Model this would be the Application Layer protocol. For example, http , dns , or ssh . The field value must be normalized to lowercase for querying. type: string example: http network.protocol.name | |
| network.transport | Network | string | Same as network.iana_number, but instead using the string name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. type: string example: tcp network.transport | |
| observer.hostname | Observer | string | Hostname of the observer. type: string | |
| observer.product | Observer | string | The product name of the observer. type: string example: s200 | |
| observer.type | Observer | string | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are forwarder , firewall , ids , ips , proxy , poller , sensor , APM server . type: string example: firewall | |
| observer.vendor | Observer | string | Vendor name of the observer. type: string example: Symantec | |
| observer.egress.interface.name | Observer | string | Interface name as reported by the system. type: string example: eth0 | |
| observer.ingress.interface.name | Observer | string | Interface name as reported by the system. type: string example: eth0 | |
| package.name | Package | string | Package name type: string example: go | |
| package.version | Package | string | Package version type: string example: 1.12.9 | |
| process.args | Process | string | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: string Note: This field should contain an array of values. example: "/usr/bin/ssh", "-l", "user", "10.0.0.16" process.command_args | |
| process.command_line | Process | string | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. type: wildcard Multi-fields: * process.command_line.text (type: match_only_text) example: /usr/bin/ssh -l user 10.0.0.16 process.command_line | |
| process.entity_id | Process | string | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: string example: c2c455d9f99375d | |
| process.executable | Process | string | Absolute path to the process executable. type: string Multi-fields: * process.executable.text (type: match_only_text) example: /usr/bin/ssh process.executable.path | |
| process.name | Process | string | Process name. Sometimes called program name or similar. type: string Multi-fields: * process.name.text (type: match_only_text) example: ssh | |
| process.pid | Process | long | Process id. type: long example: 4242 process.pid | |
| process.thread.id | Process | long | Thread ID. type: long example: 4242 | |
| process.working_directory | Process | string | The working directory of the process. type: string Multi-fields: * process.working_directory.text (type: match_only_text) example: /home/alice process.working_directory | |
| process.parent.pid | Process | long | Process id. type: long example: 4242 process.pid | |
| registry.key | Registry | string | Hive-relative path of keys. type: string example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe | |
| registry.path | Registry | string | Full path, including hive, key and value type: string example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger | |
| registry.value | Registry | string | Name of the value written. type: string example: Debugger | |
| related.hash | Related | string | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). type: string Note: This field should contain an array of values. Not applicable. | |
| related.ip | Related | string | All of the IPs seen on your event. type: ip Note: This field should contain an array of values. Not applicable. | |
| related.user | Related | string | All the user names or other user identifiers seen on the event. type: string Note: This field should contain an array of values. Not applicable. | |
| server.ip | Server | string | IP address of the server (IPv4 or IPv6). type: ip | |
| server.port | Server | long | Port of the server. type: long server.port | |
| service.name | Service | string | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified. type: string example: elasticsearch-metrics service.name | |
| service.type | Service | string | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . type: string example: elasticsearch | |
| service.version | Service | string | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. type: string example: 3.2.4 service.version | |
| source.bytes | Source | long | Bytes sent from the source to the destination. type: long example: 184 | |
| source.ip | Source | ip | IP address of the source (IPv4 or IPv6). type: ip | |
| source.mac | Source | string | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two uppercase hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: string example: 00-00-5E-00-53-23 | |
| source.port | Source | long | Port of the source. type: long source.port | |
| source.as.number | Source | long | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. type: long example: 15169 | |
| source.geo.country_iso_code | Source | string | Country ISO code. type: string example: CA geo.country.iso_code | |
| tls.cipher | TLS | string | String indicating the cipher used during the current connection. type: string example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 tls.cipher | |
| tls.server.certificate_chain | TLS | string | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of server.certificate since that value should be the first certificate in the chain. type: string Note: This field should contain an array of values. example: "MII...", "MII..." tls.server.certificate_chain | |
| tls.version | TLS | string | Numeric part of the version parsed from the original string. type: string example: 1.2 | |
| url.domain | URL | string | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field. If the URL contains a literal IPv6 address enclosed by and (IETF RFC 2732), the and characters should also be captured in the domain field. type: string example: www.elastic.co url.domain | |
| url.full | URL | string | If full URLs are important to your use case, they should be stored in url.full , whether this field is reconstructed or present in the event source. type: wildcard Multi-fields: * url.full.text (type: match_only_text) example: https://www.elastic.co:443/search?q=elasticsearch#top url.full | |
| url.path | URL | string | Path of the request, such as "/search". type: wildcard url.path | |
| url.query | URL | string | The query field describes the query string of the request, such as "q=elasticsearch". The ? is excluded from the query string. If a URL contains no ? , there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases. type: string url.query | |
| user.domain | User | string | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. type: string | |
| user.email | User | string | User email address. type: string user.email | |
| user.full_name | User | string | User's full name, if available. type: string Multi-fields: * user.full_name.text (type: match_only_text) example: Albert Einstein user.full_name | |
| user.id | User | string | Unique identifier of the user. type: string example: S-1-5-21-202424912787-2692429404-2351956786-1000 user.id | |
| user.name | User | string | Short name or login of the user. type: string Multi-fields: * user.name.text (type: match_only_text) example: a.einstein user.name | |
| user.roles | User | string | Array of user roles at the time of the event. type: string Note: This field should contain an array of values. example: "kibana_admin", "reporting_user" user.roles | |
| user_agent.name | User agent | string | Name of the user agent. type: string example: Safari user_agent.name | |
| user_agent.original | User agent | string | Unparsed user_agent string. type: string Multi-fields: * user_agent.original.text (type: match_only_text) example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 user_agent.original | |
| user_agent.os.full | User agent | string | Operating system name, including the version or code name. type: string Multi-fields: * os.full.text (type: match_only_text) example: Mac OS Mojave os.description | |
| vulnerability.classification | Vulnerability | string | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: string example: CVSS | |
| vulnerability.description | Vulnerability | string | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created) type: string Multi-fields: * vulnerability.description.text (type: match_only_text) example: In macOS before 2.12.6, there is a vulnerability in the RPC... | |
| vulnerability.id | Vulnerability | string | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id) type: string example: CVE-2019-00001 | |
| vulnerability.reference | Vulnerability | string | A resource that provides additional information, context, and mitigations for the identified vulnerability. type: string example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 | |
| vulnerability.severity | Vulnerability | string | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: string example: Critical | |
| timestamp | base | date | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. type: date example: 2016-05-23T08:05:34.853Z time_unix_nano observed_time_unix_nano start_time_unix_nano Note: On logs, events and metrics, time_unix_nano defines the time of the event. For logs, observed_time_unix_nano defines the time when the event was observed by the collection system. On spans, start_time_unix_nano represents the start time of the span. | |
| event.created | event | date | Date and time when the event was first observed or ingested by the agent or pipeline; example: 2024-10-01T10:15:30Z | |
| process.ppid | process | long | Parent process ID of the process that generated the event; example: 1 | |
| process.tty | process | string | Controlling terminal (TTY) associated with the process; example: pts/0 | |
| user.effective.id | user | string | Effective user ID under which the action was executed after privilege changes; example: 0 | |
| user.audit.id | user | string | User identifier recorded by audit subsystem for accountability; example: 1001 | |
| user.saved.id | user | string | Saved user ID before privilege escalation or context switch; example: 1000 | |
| user.fs.id | user | string | Filesystem user ID used for file permission checks; example: 1000 | |
| group.effective.id | group | string | Effective group ID at the time the event occurred; example: 0 | |
| group.saved.id | group | string | Saved group ID before privilege escalation; example: 1000 | |
| group.fs.id | group | string | Filesystem group ID used for file access checks; example: 1000 | |
| agent.hostname | agent | string | Hostname of the system where the agent is running; example: web-server-01 | |
| agent.ephemeral.id | agent | string | Ephemeral identifier for the agent instance that changes on restart; example: 6f8c2e1a-b7f3-4b2a | |
| agent.ip | agent | keyword | IP address of the host running the agent; example: 192.168.1.10 | |
| auditd.arch | auditd | string | System architecture identifier from auditd logs; example: x86_64 | |
| auditd.syscall | auditd | string | System call name or number captured by auditd; example: execve | |
| auditd.session | auditd | string | Audit session ID associated with the user session; example: 4294967295 | |
| auditd.key | auditd | string | Audit rule key that matched and triggered the event; example: privileged-command | |
| kafka.topic | kafka | string | Kafka topic from which the event message was consumed; example: security-events | |
| kafka.partition | kafka | long | Kafka partition number containing the message; example: 3 | |
| kafka.offset | kafka | long | Kafka offset of the message within the partition; example: 1589234 | |
| full.log | full | string | Complete raw log entry as received before parsing or normalization; example: Oct 10 10:22:01 host sshd1234: Failed password | |
| event.original | event | string | Original unmodified event payload for integrity or forensic purposes; example: {"msg":"login failed" | |
| log.source | log | string | Logical source or subsystem that generated the log; example: auth.log | |
| custom.noc.class | custom | long | Custom classification code defined by NOC or SOC teams; example: 3 | |
| server.address | server | string | Destination server hostname or IP address involved in the event; example: api.example.com | |
| client.address | client | string | Client hostname or IP address initiating the request; example: 203.0.113.45 | |
| http.request.id | http | string | Unique identifier assigned to correlate HTTP requests and responses; example: req-7f3a9c | |
| http.request.body.bytes | http | long | Size of the HTTP request body in bytes; example: 512 | |
| severity | base | string | Normalized severity level of the event; example: high | |
| duration | base | string | Duration of the event or activity expressed as a time value; example: 350ms | |
| recovery.date | recovery | string | Date when recovery or remediation action was performed; example: 2024-10-05 | |
| recovery.time | recovery | string | Time when recovery or remediation action was performed; example: 14:32:10 | |
| ddos.profile_name | ddos | string | Name of the DDoS mitigation profile applied; example: L7-HTTP-FLOOD | |
| ddos.profile_desc | ddos | string | Description of the DDoS mitigation profile behavior; example: Rate limiting and challenge response | |
| ddos.policy_type | ddos | long | Numeric identifier representing the DDoS policy type; example: 2 | |
| ddos.peak_bps | ddos | long | Maximum traffic volume observed during the attack in bits per second; example: 4500000000 | |
| ddos.peak_pps | ddos | long | Maximum packets per second observed during the attack; example: 1200000 | |
| ddos.period | ddos | string | Time window during which the DDoS attack was detected; example: 2024-10-01T10:00Z/2024-10-01T10:15Z | |
| event.severity_label | event | string | Textual severity label defined by organization policy; example: critical | |
| file.inode | file | string | Inode number of the file involved in the event on Unix systems; example: 458721 | |
| file.mode | file | string | File permission mode represented as an octal string; example: 0755 | |
| process.exit_code | process | long | Exit status code returned by the process after termination; example: 0 | |
| message_key | base | string | Key used to group, partition, or correlate messages; example: user-login-failed | |
| rule.id | rule | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event, example: 101 | |
| rule.name | rule | string | The name of the rule or signature generating the event. example: BLOCK_DNS_over_TLS |
Note: Array fields are indicated with "(array)" notation. Ensure proper array formatting when populating these fields.
Tip: For detailed ECS field specifications and updates, refer to the official Elastic Common Schema documentation.