Expand description
Usage example
use ecs_types::types::Timestamp;
use ecs_types::*;
use serde_json::json;
let now: Timestamp = chrono::offset::Local::now().into();
let mut base = Base::new(now.clone());
let mut file = File::default();
file.set_name("readme.txt".into());
file.set_mtime(now);
base.with_file(file);
println!("{}", serde_json::to_string_pretty(&json!(base)).unwrap() );creates the following result:
{
"@timestamp": 1669822098181,
"file": {
"attributes": [],
"mtime": 1669822098181,
"name": "readme.txt"
},
"tags": []
}Modules
Structs
The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
The
base field set contains all fields which are at the root of the events. These fields are common across all types of events.A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
Fields related to the cloud or infrastructure the events are coming from.
These fields contain information about binary code signatures.
Container fields are used for meta information about the specific container that is the source of information.
The data_stream fields take part in defining the new data stream naming scheme.
Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.
These fields contain information about code libraries dynamically loaded into processes.
Fields describing DNS queries and answers.
Meta-information specific to ECS.
These fields contain Linux Executable Linkable Format (ELF) metadata.
Event details relating to an email transaction.
These fields can represent errors of any kind.
The event fields are used for context information about the log or metric event itself.
The user fields describe information about the function as a service (FaaS) that is relevant to the event.
A file is defined as a set of information that has been created on, or has existed on a filesystem.
Geo fields can carry data about a specific location related to an event.
The group fields are meant to represent groups that are relevant to the event.
The hash fields represent different bitwise hash algorithms and their values.
A host is defined as a general computing instance.
Fields related to HTTP activity. Use the
url field set to store the url of the request.The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
Details about the event’s logging mechanism or logging transport.
These fields contain Mac OS Mach Object file format (Mach-O) metadata.
The network is defined as the communication path over which a host or network event happens.
An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
Fields that describe the resources which container orchestrators manage or act upon.
The organization fields enrich data with information about the company or entity the data is associated with.
The OS fields contain information about the operating system.
These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
These fields contain Windows Portable Executable (PE) metadata.
These fields contain information about a process.
Fields related to Windows Registry operations.
This field set is meant to facilitate pivoting around a piece of data.
Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under
event.*. Please continue to use event.risk_score and event.risk_score_norm for event risk.Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.
The service fields describe the service for or from which the data was collected.
Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
The user fields describe information about the user that is relevant to the event.
The user_agent fields normally come from a browser request.
The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection.
The vulnerability fields describe information about a vulnerability that is relevant to an event.
This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.