Skip to content

Elastic Common Schema (ECS)

For more details, see the official documentation.

ECS Generic attributes table

Attribute Description Values as an example
@timestamp Date/time when the event originated. 2022-05-23T08:05:34.853Z
client.ip The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
cnt Count of events. 1
destination.ip The original destination IP address of the device that was used when the activity was logged.
ecs.version ECS version this event conforms to. 1.0.0
event.action Description of the original event that triggered creating of the particular log. UserLoggedIn, MessageTrace, FilePreviewed
event.original Full and unmodified log for auditing. - - [07/Dec ...
http.request.method HTTP request is an action to be performed on a resource identified by a given Request-URL. get
http.response.body.bytes SIze of the HTTP request in bytes. 2571
http.response.status_code HTTP response status codes indicate whether a specific HTTP request has been successfully completed. 200
http.version Current version of the Hypertext Transfer Protocol. 1.1
host.hostname Hostname of the host. webserver-blog-prod
message Text representation of the significant information from the event for succinct display in a log viewer. "GET /blog HTTP/1.1" 200 2571 Your custom name for this service. Company blog
service.type Type of the service used with this instance. apache
source.geo.* Fields for geo-location.
url.original Original url path. /blog Name of the user. Albus Dumbledore
user_agent.* Fields describing the user agent.
event.dataset Name of the dataset. microsoft-office-365 Unique identification value. b4b4c44c-ff30-4ddd-bfbe-44e082570800
event.ingested Timestamp when an event arrived in the central data store. 2022-05-23T08:05:34.853Z
event.kind Value of this field can be used to inform how these kinds of events should be handled. alert, enrichment, event, metric, state, pipeline_error, signal
log.original Raw log formate that is received before the parcing process takes place. <165>Jan 17 12:20:25 hostname %ASA-5-111010: User 'harry', running 'N/A' from IP, executed 'write memory' ID of the original source organization of an event.
recipient.address E-mail address of original recipient of the message.
sender.address E-mail address of original sender of the message.
source.ip IP address of the source device or system.
tenant Tenant identification in each event. default User identification of each event.