forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
event.yml
706 lines (637 loc) · 32.1 KB
/
event.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
---
- name: event
title: Event
group: 2
short: Fields breaking down the event details.
description: >
The event fields are used for context information about the log or metric event itself.
A log is defined as an event containing details of something that happened.
Log events must include the time at which the thing happened.
Examples of log events include a process starting on a host,
a network packet being sent from a source to a destination,
or a network connection between a client and a server being initiated or closed.
A metric is defined as an event containing one or more numerical measurements
and the time at which the measurement was taken. Examples of metric events include
memory pressure measured on a host and device temperature.
See the `event.kind` definition in this section for additional details about
metric and state events.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Unique ID to describe the event.
example: 8a4f500d
- name: code
level: extended
type: keyword
short: Identification code for this event.
description: >
Identification code for this event, if one exists.
Some event sources use event codes to identify messages unambiguously,
regardless of message language or wording adjustments over time.
An example of this is the Windows Event ID.
example: 4648
- name: kind
level: core
type: keyword
short: The kind of the event. The highest categorization field in the hierarchy.
description: >
This is one of four ECS Categorization Fields, and indicates the
highest level in the ECS category hierarchy.
`event.kind` gives high-level information about what type of information the
event contains, without being specific to the contents of the event.
For example, values of this field distinguish alert events from
metric events.
The value of this field can be used to inform how these kinds of events should be handled.
They may warrant different retention, different access control, it may also
help understand whether the data coming in at a regular interval or not.
example: alert
allowed_values:
- name: alert
description: >
This value indicates an event that describes an alert or notable event,
triggered by a detection rule.
`event.kind:alert` is often populated for events coming from firewalls,
intrusion detection systems, endpoint detection and response systems, and so on.
- name: event
description: >
This value is the most general and most common value for this field.
It is used to represent events that indicate that something happened.
- name: metric
description: >
This value is used to indicate that this event describes a numeric measurement
taken at given point in time.
Examples include CPU utilization, memory usage, or device temperature.
Metric events are often collected on a predictable frequency, such as once
every few seconds, or once a minute, but can also be used to
describe ad-hoc numeric metric queries.
- name: state
description: >
The state value is similar to metric, indicating that this event describes a
measurement taken at given point in time, except that the measurement does not
result in a numeric value, but rather one of a fixed set of categorical values
that represent conditions or states.
Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red),
the state of a TCP connection (open, closed, fin_wait, etc.), the state of a host with respect
to a software vulnerability (vulnerable, not vulnerable), and the state of a system
regarding compliance with a regulatory standard (compliant, not compliant).
Note that an event that describes a change of state would not use `event.kind:state`,
but instead would use 'event.kind:event' since a state change fits the more general
event definition of something that happened.
State events are often collected on a predictable frequency, such as once
every few seconds, once a minute, once an hour, or once a day, but can also be used to
describe ad-hoc state queries.
- name: pipeline_error
description: >
This value indicates that an error occurred during the ingestion of this event,
and that event data may be missing, inconsistent, or incorrect.
`event.kind:pipeline_error` is often associated with parsing errors.
- name: signal
description: >
This value is used by the Elastic SIEM app to denote an Elasticsearch
document that was created by a SIEM detection engine rule.
A signal will typically trigger a notification that something
meaningful happened and should be investigated.
Usage of this value is reserved, and pipelines should not populate
`event.kind` with the value "signal".
- name: category
level: core
type: keyword
short: Event category. The second categorization field in the hierarchy.
description: >
This is one of four ECS Categorization Fields, and indicates the
second level in the ECS category hierarchy.
`event.category` represents the "big buckets" of ECS categories. For example,
filtering on `event.category:process` yields all events relating to process activity.
This field is closely related to `event.type`, which is used as a subcategory.
This field is an array. This will allow proper categorization of some events
that fall in multiple categories.
example: authentication
normalize:
- array
allowed_values:
- name: authentication
description: >
Events in this category are related to the challenge and response process
in which credentials are supplied and verified to allow the creation of a session.
Common sources for these logs are Windows event logs and ssh logs.
Visualize and analyze events in this category to look for failed logins,
and other authentication-related activity.
expected_event_types:
- start
- end
- info
- name: database
description: >
The database category denotes events and metrics relating to a data storage
and retrieval system. Note that use of this category is not limited to
relational database systems. Examples include event logs from MS SQL, MySQL,
Elasticsearch, MongoDB, etc. Use this category to visualize and analyze
database activity such as accesses and changes.
expected_event_types:
- access
- change
- info
- error
- name: driver
description: >
Events in the driver category have to do with operating system device drivers
and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc.
Use events and metrics in this category to visualize and analyze driver-related
activity and status on hosts.
expected_event_types:
- change
- end
- info
- start
- name: file
description: >
Relating to a set of information that has been created on, or has existed on a filesystem.
Use this category of events to visualize and analyze the creation, access,
and deletions of files. Events in this category can come
from both host-based and network-based sources. An example source of a network-based
detection of a file transfer would be the Zeek file.log.
expected_event_types:
- change
- creation
- deletion
- info
- name: host
description: >
Use this category to visualize and analyze information such as host inventory
or host lifecycle events.
Most of the events in this category can usually be observed from the outside,
such as from a hypervisor or a control plane's point of view. Some can also
be seen from within, such as "start" or "end".
Note that this category is for information about hosts themselves;
it is not meant to capture activity "happening on a host".
expected_event_types:
- access
- change
- end
- info
- start
- name: iam
description: >
Identity and access management (IAM) events relating to users, groups, and administration.
Use this category to visualize and analyze IAM-related logs and data from active directory,
LDAP, Okta, Duo, and other IAM systems.
expected_event_types:
- admin
- change
- creation
- deletion
- group
- info
- user
- name: intrusion_detection
description: >
Relating to intrusion detections from IDS/IPS systems and functions,
both network and host-based. Use this category to visualize and analyze
intrusion detection alerts from systems such as Snort, Suricata,
and Palo Alto threat detections.
expected_event_types:
- allowed
- denied
- info
- name: malware
description: >
Malware detection events and alerts. Use this category to visualize and analyze
malware detections from EDR/EPP systems such as Elastic Endpoint Security,
Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems
such as Suricata, or other sources of malware-related events such as
Palo Alto Networks threat logs and Wildfire logs.
expected_event_types:
- info
- name: network
description: >
Relating to all network activity, including network connection lifecycle,
network traffic, and essentially any event that includes an IP address. Many events
containing decoded network protocol transactions fit into this category.
Use events in this category to visualize or analyze counts of network ports,
protocols, addresses, geolocation information, etc.
expected_event_types:
- access
- allowed
- connection
- denied
- end
- info
- protocol
- start
- name: package
description: >
Relating to software packages installed on hosts. Use this category to
visualize and analyze inventory of software installed on various hosts,
or to determine host vulnerability in the absence of vulnerability scan data.
expected_event_types:
- access
- change
- deletion
- info
- installation
- start
- name: process
description: >
Use this category of events to visualize and analyze process-specific
information such as lifecycle events or process ancestry.
expected_event_types:
- access
- change
- end
- info
- start
- name: web
description: >
Relating to web server access. Use this category to create a dashboard of
web server/proxy activity from apache, IIS, nginx web servers, etc.
Note: events from network observers such as Zeek http log may also be included
in this category.
expected_event_types:
- access
- error
- info
- name: action
level: core
type: keyword
short: The action captured by the event.
description: >
The action captured by the event.
This describes the information in the event. It is more specific than
`event.category`. Examples are `group-add`, `process-started`,
`file-created`. The value is normally defined by the implementer.
example: user-password-change
- name: outcome
level: core
type: keyword
short: The outcome of the event. The lowest level categorization field in the hierarchy.
description: >
This is one of four ECS Categorization Fields, and indicates the
lowest level in the ECS category hierarchy.
`event.outcome` simply denotes whether the event represents a success or a failure from
the perspective of the entity that produced the event.
Note that when a single transaction is described in multiple events, each event may
populate different values of `event.outcome`, according to their perspective.
Also note that in the case of a compound event (a single event that contains multiple logical events),
this field should be populated with the value that best captures the overall success or failure from
the perspective of the event producer.
Further note that not all events will have an associated outcome. For example, this field is
generally not populated for metric events, events with `event.type:info`, or any events for
which an outcome does not make logical sense.
example: success
allowed_values:
- name: failure
description: >
Indicates that this event describes a failed result. A common example is
`event.category:file AND event.type:access AND event.outcome:failure`
to indicate that a file access was attempted, but was not successful.
- name: success
description: >
Indicates that this event describes a successful result. A common example is
`event.category:file AND event.type:create AND event.outcome:success`
to indicate that a file was successfully created.
- name: unknown
description: >
Indicates that this event describes only an attempt for which the result
is unknown from the perspective of the event producer.
For example, if the event contains information only about the request side
of a transaction that results in a response, populating `event.outcome:unknown`
in the request event is appropriate.
The unknown value should not be used when an outcome doesn't make logical sense for
the event. In such cases `event.outcome` should not be populated.
- name: type
level: core
type: keyword
short: Event type. The third categorization field in the hierarchy.
description: >
This is one of four ECS Categorization Fields, and indicates the
third level in the ECS category hierarchy.
`event.type` represents a categorization "sub-bucket" that, when used along with
the `event.category` field values, enables filtering events down to a level
appropriate for single visualization.
This field is an array. This will allow proper categorization of some events
that fall in multiple event types.
normalize:
- array
allowed_values:
- name: access
description: >
The access event type is used for the subset of events within a category
that indicate that something was accessed.
Common examples include `event.category:database AND event.type:access`,
or `event.category:file AND event.type:access`.
Note for file access, both directory listings and file opens should be included
in this subcategory. You can further distinguish access operations using the ECS
`event.action` field.
- name: admin
description: >
The admin event type is used for the subset of events within a category
that are related to admin objects. For example, administrative changes within
an IAM framework that do not specifically affect a user or group (e.g., adding new
applications to a federation solution or connecting discrete forests in Active Directory)
would fall into this subcategory.
Common example: `event.category:iam AND event.type:change AND event.type:admin`.
You can further distinguish admin operations using the ECS
`event.action` field.
- name: allowed
description: >
The allowed event type is used for the subset of events within a category that
indicate that something was allowed. Common examples include
`event.category:network AND event.type:connection AND event.type:allowed` (to indicate a network
firewall event for which the firewall disposition was to allow the connection to complete)
and `event.category:intrusion_detection AND event.type:allowed` (to indicate a network
intrusion prevention system event for which the IPS disposition was to allow the connection
to complete). You can further distinguish allowed operations using the ECS
`event.action` field, populating with values of your choosing, such as "allow", "detect", or
"pass".
- name: change
description: >
The change event type is used for the subset of events within a category
that indicate that something has changed. If semantics best describe an
event as modified, then include them in this subcategory.
Common examples include `event.category:process AND event.type:change`,
and `event.category:file AND event.type:change`.
You can further distinguish change operations using the ECS `event.action` field.
- name: connection
description: >
Used primarily with `event.category:network` this value is used for the subset of
network traffic that includes sufficient information for the event to be included
in flow or connection analysis. Events in this subcategory will contain at least
source and destination IP addresses, source and destination TCP/UDP ports, and will usually
contain counts of bytes and/or packets transferred. Events in this subcategory may contain
unidirectional or bidirectional information, including summary information.
Use this subcategory to visualize and analyze network connections. Flow analysis, including
Netflow, IPFIX, and other flow-related events fit in this subcategory. Note that firewall
events from many Next-Generation Firewall (NGFW) devices will also fit into this subcategory. A common filter for
flow/connection information would be
`event.category:network AND event.type:connection AND event.type:end` (to view or analyze all
completed network connections, ignoring mid-flow reports). You can further distinguish connection
events using the ECS `event.action` field, populating with values of your choosing, such as
"timeout", or "reset".
- name: creation
description: >
The "creation" event type is used for the subset of events within a category
that indicate that something was created.
A common example is `event.category:file AND event.type:creation`.
- name: deletion
description: >
The deletion event type is used for the subset of events within a category
that indicate that something was deleted.
A common example is `event.category:file AND event.type:deletion`
to indicate that a file has been deleted.
- name: denied
description: >
The denied event type is used for the subset of events within a category that
indicate that something was denied. Common examples include
`event.category:network AND event.type:denied` (to indicate a network
firewall event for which the firewall disposition was to deny the connection)
and `event.category:intrusion_detection AND event.type:denied` (to indicate a network
intrusion prevention system event for which the IPS disposition was to deny the connection
to complete). You can further distinguish denied operations using the ECS
`event.action` field, populating with values of your choosing, such as "blocked", "dropped", or
"quarantined".
- name: end
description: >
The end event type is used for the subset of events within a category
that indicate something has ended.
A common example is `event.category:process AND event.type:end`.
- name: error
description: >
The error event type is used for the subset of events within a category
that indicate or describe an error.
A common example is `event.category:database AND event.type:error`.
Note that pipeline errors that occur during the event ingestion process
should not use this `event.type` value. Instead, they should use
`event.kind:pipeline_error`.
- name: group
description: >
The group event type is used for the subset of events within a category
that are related to group objects.
Common example: `event.category:iam AND event.type:creation AND event.type:group`.
You can further distinguish group operations using the ECS
`event.action` field.
- name: info
description: >
The info event type is used for the subset of events within a category
that indicate that they are purely informational, and don't report a state
change, or any type of action. For example, an initial run of a file integrity
monitoring system (FIM), where an agent reports all files under management,
would fall into the "info" subcategory. Similarly, an event containing a
dump of all currently running processes (as opposed to reporting that a process
started/ended) would fall into the "info" subcategory.
An additional common examples is `event.category:intrusion_detection AND event.type:info`.
- name: installation
description: >
The installation event type is used for the subset of events within a category
that indicate that something was installed.
A common example is `event.category:package` AND `event.type:installation`.
- name: protocol
description: >
The protocol event type is used for the subset of events within a category that
indicate that they contain protocol details or analysis, beyond simply identifying the protocol.
Generally, network events that contain specific protocol details will fall into this subcategory.
A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end`
(to indicate that the event is a network connection event sent at the end of a connection
that also includes a protocol detail breakdown).
Note that events that only indicate the name or id of the protocol should not use the protocol value.
Further note that when the protocol subcategory is used, the identified protocol is populated in
the ECS `network.protocol` field.
expected_event_types:
- access
- change
- end
- info
- start
- name: start
description: >
The start event type is used for the subset of events within a category
that indicate something has started. A common example is
`event.category:process AND event.type:start`.
- name: user
description: >
The user event type is used for the subset of events within a category
that are related to user objects.
Common example: `event.category:iam AND event.type:deletion AND event.type:user`.
You can further distinguish user operations using the ECS
`event.action` field.
- name: module
level: core
type: keyword
short: Name of the module this data is coming from.
description: >
Name of the module this data is coming from.
If your monitoring agent supports the concept of modules or plugins to
process events of a given source (e.g. Apache logs),
`event.module` should contain the name of this module.
example: apache
- name: dataset
level: core
type: keyword
short: Name of the dataset.
description: >
Name of the dataset.
If an event source publishes more than one type of log or events
(e.g. access log, error log), the dataset is used to specify which
one the event comes from.
It's recommended but not required to start the dataset name with
the module name, followed by a dot, then the dataset name.
example: apache.access
- name: provider
level: extended
type: keyword
short: Source of the event.
description: >
Source of the event.
Event transports such as Syslog or the Windows Event Log typically
mention the source of an event. It can be the name of the
software that generated the event (e.g. Sysmon, httpd),
or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
example: kernel
- name: severity
type: long
level: core
format: string
example: 7
short: Numeric severity of the event.
description: >
The numeric severity of the event according to your event source.
What the different severity values mean can be different between sources
and use cases.
It's up to the implementer to make sure severities are consistent across
events from the same source.
The Syslog severity belongs in `log.syslog.severity.code`.
`event.severity` is meant to represent the severity according to
the event source (e.g. firewall, IDS).
If the event source does not publish its own severity,
you may optionally copy the `log.syslog.severity.code` to `event.severity`.
- name: original
level: core
type: keyword
# Unfortunately this example is not shown correctly yet as | do not work
# in tables well
# Is | is the representation of | it works except for cases where
# used ticks.
example: "Sep 19 08:26:10 host CEF:0|Security|
threatmanager|1.0|100|
worm successfully stopped|10|src=10.0.0.1
dst=2.1.2.2spt=1232"
short: Raw text message of entire event.
description: >
Raw text message of entire event. Used to demonstrate log integrity.
This field is not indexed and doc_values are disabled. It cannot be
searched, but it can be retrieved from `_source`.
index: false
doc_values: false
- name: hash
level: extended
type: keyword
example: "123456789012345678901234567890ABCD"
description: >
Hash (perhaps logstash fingerprint) of raw field to be able to
demonstrate log integrity.
- name: duration
level: core
type: long
format: duration
input_format: nanoseconds
output_format: asMilliseconds
output_precision: 1
short: Duration of the event in nanoseconds.
description: >
Duration of the event in nanoseconds.
If event.start and event.end are known this value should be the
difference between the end and start time.
- name: sequence
format: string
level: extended
type: long
short: Sequence number of the event.
description: >
Sequence number of the event.
The sequence number is a value published by some event sources, to make the
exact ordering of events unambiguous, regardless of the timestamp precision.
- name: timezone
level: extended
type: keyword
short: Event time zone.
description: >
This field should be populated when the event's timestamp does not include
timezone information already (e.g. default Syslog timestamps). It's
optional otherwise.
Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),
abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
- name: created
level: core
type: date
short: Time when the event was first read by an agent or by your pipeline.
example: '2016-05-23T08:05:34.857Z'
description: >
event.created contains the date/time when the event was first read by an
agent, or by your pipeline.
This field is distinct from @timestamp in that @timestamp typically contain
the time extracted from the original event.
In most situations, these two timestamps will be slightly different.
The difference can be used to calculate the delay between your source
generating an event, and the time when your agent first processed it.
This can be used to monitor your agent's or pipeline's ability to
keep up with your event source.
In case the two timestamps are identical, @timestamp should be used.
- name: start
level: extended
type: date
description: >
event.start contains the date when the event started or when the
activity was first observed.
- name: end
level: extended
type: date
description: >
event.end contains the date when the event ended or when the activity
was last observed.
- name: risk_score
level: core
type: float
description: >
Risk score or priority of the event (e.g. security solutions).
Use your system's original value here.
- name: risk_score_norm
level: extended
type: float
short: Normalized risk score or priority of the event (0-100).
description: >
Normalized risk score or priority of the event, on a scale of 0 to 100.
This is mainly useful if you use more than one system that assigns
risk scores, and you want to see a normalized value across all systems.
- name: ingested
level: core
type: date
short: Timestamp when an event arrived in the central data store.
example: '2016-05-23T08:05:35.101Z'
description: >
Timestamp when an event arrived in the central data store.
This is different from `@timestamp`, which is when the event originally
occurred. It's also different from `event.created`, which is meant
to capture the first time an agent saw the event.
In normal conditions, assuming no tampering, the timestamps should
chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
- name: reference
level: extended
type: keyword
short: Event reference URL
description: >
Reference URL linking to additional information about this event.
This URL links to a static definition of the this event.
Alert events, indicated by `event.kind:alert`, are a common use case for this field.
example: https://system.vendor.com/event/#0001234
- name: url
level: extended
type: keyword
short: Event investigation URL
description: >
URL linking to an external system to continue investigation of this event.
This URL links to another
system where in-depth investigation of the specific occurence of this event can take place.
Alert events, indicated by `event.kind:alert`, are a common use case for this field.
example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe