ECS field reference
Elastic Stack Serverless
This is the documentation of ECS version 9.0.0-dev.
ECS defines multiple groups of related fields. They are called "field sets". The Base field set is the only one whose fields are defined at the root of the event.
All other field sets are defined as objects in Elasticsearch, under which all fields are defined.
For a single page representation of all fields, please see the generated CSV of fields.
| Field Set | Description |
|---|---|
| Base | All fields defined directly at the root of the events. |
| Agent | Fields about the monitoring agent. |
| Autonomous system | Fields describing an Autonomous System (Internet routing prefix). |
| Client | Fields about the client side of a network connection, used with server. |
| Cloud | Fields about the cloud resource. |
| Code signature | These fields contain information about binary code signatures. |
| Container | Fields describing the container that generated this event. |
| Data stream | The data_stream fields take part in defining the new data stream naming scheme. |
| Destination | Fields about the destination side of a network connection, used with source. |
| Device | Fields characterizing a (mobile) device a process or application is running on. |
| DLL | These fields contain information about code libraries dynamically loaded into processes. |
| DNS | Fields describing DNS queries and answers. |
| ECS | Meta-information specific to ECS. |
| ELF header | These fields contain Linux Executable Linkable Format (ELF) metadata. |
| Describes an email transaction. | |
| Error | Fields about errors of any kind. |
| Event | Fields breaking down the event details. |
| FaaS | Fields describing functions as a service. |
| File | Fields describing files. |
| Geo | Fields describing a location. |
| Group | User’s group relevant to the event. |
| Hash | Hashes, usually file hashes. |
| Host | Fields describing the relevant computing instance. |
| HTTP | Fields describing an HTTP request. |
| Interface | Fields to describe observer interface information. |
| Log | Details about the event’s logging mechanism. |
| Mach-O header | These fields contain Mac OS Mach Object file format (Mach-O) metadata. |
| Network | Fields describing the communication path over which the event happened. |
| Observer | Fields describing an entity observing the event from outside the host. |
| Orchestrator | Fields relevant to container orchestrators. |
| Organization | Fields describing the organization or company the event is associated with. |
| Operating system | OS fields contain information about the operating system. |
| Package | These fields contain information about an installed software package. |
| PE header | These fields contain Windows Portable Executable (PE) metadata. |
| Process | These fields contain information about a process. |
| Registry | Fields related to Windows Registry operations. |
| Related | Fields meant to facilitate pivoting around a piece of data. |
| Risk information | Fields for describing risk score and level. |
| Rule | Fields to capture details about rules used to generate alerts or other notable events. |
| Server | Fields about the server side of a network connection, used with client. |
| Service | Fields describing the service for or from which the data was collected. |
| Source | Fields about the source side of a network connection, used with destination. |
| Threat | Fields to classify events and alerts according to a threat taxonomy. |
| TLS | Fields describing a TLS connection. |
| Tracing | Fields related to distributed tracing. |
| URL | Fields that let you store URLs in various forms. |
| User | Fields to describe the user relevant to the event. |
| User agent | Fields to describe a browser user_agent string. |
| VLAN | Fields to describe observed VLAN information. |
| Volume | Fields related to storage volume details. |
| Vulnerability | Fields to describe the vulnerability relevant to an event. |
| x509 certificate | These fields contain x509 certificate metadata. |