⚠️ Outdated Version: You are viewing ECS version 8.17, which is outdated. View the latest version (9.0)

ECS Version:

Observer

Fields describing an entity observing the event from outside the host.

Fields

Field Summary

Field	Type	Level	Description
`observer.egress`	object	Extended	Object field for egress information
`observer.egress.interface.alias`	keyword	Extended	Interface alias
`observer.egress.interface.id`	keyword	Extended	Interface ID
`observer.egress.interface.name`	keyword	Extended	Interface name
`observer.egress.vlan.id`	keyword	Extended	VLAN ID as reported by the observer.
`observer.egress.vlan.name`	keyword	Extended	Optional VLAN name as reported by the observer.
`observer.egress.zone`	keyword	Extended	Observer Egress zone
`observer.geo.city_name`	keyword	Core	City name.
`observer.geo.continent_code`	keyword	Core	Continent code.
`observer.geo.continent_name`	keyword	Core	Name of the continent.
`observer.geo.country_iso_code`	keyword	Core	Country ISO code.
`observer.geo.country_name`	keyword	Core	Country name.
`observer.geo.location`	geo_point	Core	Longitude and latitude.
`observer.geo.name`	keyword	Extended	User-defined description of a location.
`observer.geo.postal_code`	keyword	Core	Postal code.
`observer.geo.region_iso_code`	keyword	Core	Region ISO code.
`observer.geo.region_name`	keyword	Core	Region name.
`observer.geo.timezone`	keyword	Core	Time zone.
`observer.hostname`	keyword	Core	Hostname of the observer.
`observer.ingress`	object	Extended	Object field for ingress information
`observer.ingress.interface.alias`	keyword	Extended	Interface alias
`observer.ingress.interface.id`	keyword	Extended	Interface ID
`observer.ingress.interface.name`	keyword	Extended	Interface name
`observer.ingress.vlan.id`	keyword	Extended	VLAN ID as reported by the observer.
`observer.ingress.vlan.name`	keyword	Extended	Optional VLAN name as reported by the observer.
`observer.ingress.zone`	keyword	Extended	Observer ingress zone
`observer.ip`	ip	Core	IP addresses of the observer.
`observer.mac`	keyword	Core	MAC addresses of the observer.
`observer.name`	keyword	Extended	Custom name of the observer.
`observer.os.family`	keyword	Extended	OS family (such as redhat, debian, freebsd, windows).
`observer.os.full`	keyword	Extended	Operating system name, including the version or code name.
`observer.os.full.text`	match_only_text	Extended	Operating system name, including the version or code name.
`observer.os.kernel`	keyword	Extended	Operating system kernel version as a raw string.
`observer.os.name`	keyword	Extended	Operating system name, without the version.
`observer.os.name.text`	match_only_text	Extended	Operating system name, without the version.
`observer.os.platform`	keyword	Extended	Operating system platform (such centos, ubuntu, windows).
`observer.os.type`	keyword	Extended	Which commercial OS family (one of: linux, macos, unix, windows, ios or android).
`observer.os.version`	keyword	Extended	Operating system version as a raw string.
`observer.product`	keyword	Extended	The product name of the observer.
`observer.serial_number`	keyword	Extended	Observer serial number.
`observer.type`	keyword	Core	The type of the observer the data is coming from.
`observer.vendor`	keyword	Core	Vendor name of the observer.
`observer.version`	keyword	Core	Observer version.

Field Details

`observer.egress`

Type: object

Level: Extended

Description: Object field for egress information

Indexed: true

`observer.egress.interface.alias`

Type: keyword

Level: Extended

Description: Interface alias

Example: outside

Indexed: true

`observer.egress.interface.id`

Type: keyword

Level: Extended

Description: Interface ID

Example: 10

Indexed: true

`observer.egress.interface.name`

Type: keyword

Level: Extended

Description: Interface name

Example: eth0

Indexed: true

`observer.egress.vlan.id`

Type: keyword

Level: Extended

Description: VLAN ID as reported by the observer.

Example: 10

Indexed: true

`observer.egress.vlan.name`

Type: keyword

Level: Extended

Description: Optional VLAN name as reported by the observer.

Example: outside

Indexed: true

`observer.egress.zone`

Type: keyword

Level: Extended

Description: Observer Egress zone

Example: Public_Internet

Indexed: true

`observer.geo.city_name`

Type: keyword

Level: Core

Description: City name.

Example: Montreal

Indexed: true

`observer.geo.continent_code`

Type: keyword

Level: Core

Description: Continent code.

Example: NA

Indexed: true

`observer.geo.continent_name`

Type: keyword

Level: Core

Description: Name of the continent.

Example: North America

Indexed: true

`observer.geo.country_iso_code`

Type: keyword

Level: Core

Description: Country ISO code.

Example: CA

Indexed: true

`observer.geo.country_name`

Type: keyword

Level: Core

Description: Country name.

Example: Canada

Indexed: true

`observer.geo.location`

Type: geo_point

Level: Core

Description: Longitude and latitude.

Example: { "lon": -73.614830, "lat": 45.505918 }

Indexed: true

`observer.geo.name`

Type: keyword

Level: Extended

Description: User-defined description of a location.

Example: boston-dc

Indexed: true

`observer.geo.postal_code`

Type: keyword

Level: Core

Description: Postal code.

Example: 94040

Indexed: true

`observer.geo.region_iso_code`

Type: keyword

Level: Core

Description: Region ISO code.

Example: CA-QC

Indexed: true

`observer.geo.region_name`

Type: keyword

Level: Core

Description: Region name.

Example: Quebec

Indexed: true

`observer.geo.timezone`

Type: keyword

Level: Core

Description: Time zone.

Example: America/Argentina/Buenos_Aires

Indexed: true

`observer.hostname`

Type: keyword

Level: Core

Description: Hostname of the observer.

Indexed: true

`observer.ingress`

Type: object

Level: Extended

Description: Object field for ingress information

Indexed: true

`observer.ingress.interface.alias`

Type: keyword

Level: Extended

Description: Interface alias

Example: outside

Indexed: true

`observer.ingress.interface.id`

Type: keyword

Level: Extended

Description: Interface ID

Example: 10

Indexed: true

`observer.ingress.interface.name`

Type: keyword

Level: Extended

Description: Interface name

Example: eth0

Indexed: true

`observer.ingress.vlan.id`

Type: keyword

Level: Extended

Description: VLAN ID as reported by the observer.

Example: 10

Indexed: true

`observer.ingress.vlan.name`

Type: keyword

Level: Extended

Description: Optional VLAN name as reported by the observer.

Example: outside

Indexed: true

`observer.ingress.zone`

Type: keyword

Level: Extended

Description: Observer ingress zone

Example: DMZ

Indexed: true

`observer.ip`

Type: ip

Level: Core

Description: IP addresses of the observer.

Normalization: array

Indexed: true

`observer.mac`

Type: keyword

Level: Core

Description: MAC addresses of the observer.

Example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]

Normalization: array

Indexed: true

`observer.name`

Type: keyword

Level: Extended

Description: Custom name of the observer.

Example: 1_proxySG

Indexed: true

`observer.os.family`

Type: keyword

Level: Extended

Description: OS family (such as redhat, debian, freebsd, windows).

Example: debian

Indexed: true

`observer.os.full`

Type: keyword

Level: Extended

Description: Operating system name, including the version or code name.

Example: Mac OS Mojave

Indexed: true

`observer.os.full.text`

Type: match_only_text

Level: Extended

Description: Operating system name, including the version or code name.

Example: Mac OS Mojave

Indexed: true

`observer.os.kernel`

Type: keyword

Level: Extended

Description: Operating system kernel version as a raw string.

Example: 4.4.0-112-generic

Indexed: true

`observer.os.name`

Type: keyword

Level: Extended

Description: Operating system name, without the version.

Example: Mac OS X

Indexed: true

`observer.os.name.text`

Type: match_only_text

Level: Extended

Description: Operating system name, without the version.

Example: Mac OS X

Indexed: true

`observer.os.platform`

Type: keyword

Level: Extended

Description: Operating system platform (such centos, ubuntu, windows).

Example: darwin

Indexed: true

`observer.os.type`

Type: keyword

Level: Extended

Description: Which commercial OS family (one of: linux, macos, unix, windows, ios or android).

Example: macos

Indexed: true

`observer.os.version`

Type: keyword

Level: Extended

Description: Operating system version as a raw string.

Example: 10.14.1

Indexed: true

`observer.product`

Type: keyword

Level: Extended

Description: The product name of the observer.

Example: s200

Indexed: true

`observer.serial_number`

Type: keyword

Level: Extended

Description: Observer serial number.

Indexed: true

`observer.type`

Type: keyword

Level: Core

Description: The type of the observer the data is coming from.

Example: firewall

Indexed: true

`observer.vendor`

Type: keyword

Level: Core

Description: Vendor name of the observer.

Example: Symantec

Indexed: true

`observer.version`

Type: keyword

Level: Core

Description: Observer version.

Indexed: true

Network Orchestrator