Event
Fields breaking down the event details.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
event.action | keyword | Core | The action captured by the event. |
event.agent_id_status | keyword | Extended | Validation status of the event's agent.id field. |
event.category | keyword | Core | Event category. The second categorization field in the hierarchy. |
event.code | keyword | Extended | Identification code for this event. |
event.created | date | Core | Time when the event was first read by an agent or by your pipeline. |
event.dataset | keyword | Core | Name of the dataset. |
event.duration | long | Core | Duration of the event in nanoseconds. |
event.end | date | Extended | event.end contains the date when the event ended or when the activity was last observed. |
event.hash | keyword | Extended | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. |
event.id | keyword | Core | Unique ID to describe the event. |
event.ingested | date | Core | Timestamp when an event arrived in the central data store. |
event.kind | keyword | Core | The kind of the event. The highest categorization field in the hierarchy. |
event.module | keyword | Core | Name of the module this data is coming from. |
event.original | keyword | Core | Raw text message of entire event. |
event.outcome | keyword | Core | The outcome of the event. The lowest level categorization field in the hierarchy. |
event.provider | keyword | Extended | Source of the event. |
event.reason | keyword | Extended | Reason why this event happened, according to the source |
event.reference | keyword | Extended | Event reference URL |
event.risk_score | float | Core | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. |
event.risk_score_norm | float | Extended | Normalized risk score or priority of the event (0-100). |
event.sequence | long | Extended | Sequence number of the event. |
event.severity | long | Core | Numeric severity of the event. |
event.start | date | Extended | event.start contains the date when the event started or when the activity was first observed. |
event.timezone | keyword | Extended | Event time zone. |
event.type | keyword | Core | Event type. The third categorization field in the hierarchy. |
event.url | keyword | Extended | Event investigation URL |
Field Details
event.action
Type: keyword
Level: Core
Description: The action captured by the event.
Example: user-password-change
Indexed: true
event.agent_id_status
Type: keyword
Level: Extended
Description: Validation status of the event's agent.id field.
Example: verified
Indexed: true
event.category
Type: keyword
Level: Core
Description: Event category. The second categorization field in the hierarchy.
Example: authentication
Normalization: array
Indexed: true
event.code
Type: keyword
Level: Extended
Description: Identification code for this event.
Example: 4648
Indexed: true
event.created
Type: date
Level: Core
Description: Time when the event was first read by an agent or by your pipeline.
Example: 2016-05-23T08:05:34.857Z
Indexed: true
event.dataset
Type: keyword
Level: Core
Description: Name of the dataset.
Example: apache.access
Indexed: true
event.duration
Type: long
Level: Core
Description: Duration of the event in nanoseconds.
Indexed: true
event.end
Type: date
Level: Extended
Description: event.end contains the date when the event ended or when the activity was last observed.
Indexed: true
event.hash
Type: keyword
Level: Extended
Description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
Example: 123456789012345678901234567890ABCD
Indexed: true
event.id
Type: keyword
Level: Core
Description: Unique ID to describe the event.
Example: 8a4f500d
Indexed: true
event.ingested
Type: date
Level: Core
Description: Timestamp when an event arrived in the central data store.
Example: 2016-05-23T08:05:35.101Z
Indexed: true
event.kind
Type: keyword
Level: Core
Description: The kind of the event. The highest categorization field in the hierarchy.
Example: alert
Indexed: true
event.module
Type: keyword
Level: Core
Description: Name of the module this data is coming from.
Example: apache
Indexed: true
event.original
Type: keyword
Level: Core
Description: Raw text message of entire event.
Example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
Indexed: false
event.outcome
Type: keyword
Level: Core
Description: The outcome of the event. The lowest level categorization field in the hierarchy.
Example: success
Indexed: true
event.provider
Type: keyword
Level: Extended
Description: Source of the event.
Example: kernel
Indexed: true
event.reason
Type: keyword
Level: Extended
Description: Reason why this event happened, according to the source
Example: Terminated an unexpected process
Indexed: true
event.reference
Type: keyword
Level: Extended
Description: Event reference URL
Example: https://system.example.com/event/#0001234
Indexed: true
event.risk_score
Type: float
Level: Core
Description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
Indexed: true
event.risk_score_norm
Type: float
Level: Extended
Description: Normalized risk score or priority of the event (0-100).
Indexed: true
event.sequence
Type: long
Level: Extended
Description: Sequence number of the event.
Indexed: true
event.severity
Type: long
Level: Core
Description: Numeric severity of the event.
Example: 7
Indexed: true
event.start
Type: date
Level: Extended
Description: event.start contains the date when the event started or when the activity was first observed.
Indexed: true
event.timezone
Type: keyword
Level: Extended
Description: Event time zone.
Indexed: true
event.type
Type: keyword
Level: Core
Description: Event type. The third categorization field in the hierarchy.
Normalization: array
Indexed: true
event.url
Type: keyword
Level: Extended
Description: Event investigation URL
Example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
Indexed: true