Expand description
§Usage example
use ecs_types::types::Timestamp;
use ecs_types::*;
use serde_json::json;
let now: Timestamp = chrono::offset::Local::now().into();
let mut base = Base::new(now.clone());
let mut file = File::default();
file.set_name("readme.txt".into());
file.set_mtime(now);
base.with_file(file);
println!("{}", serde_json::to_string_pretty(&json!(base)).unwrap() );
creates the following result:
{
"@timestamp": 1669822098181,
"file": {
"attributes": [],
"mtime": 1669822098181,
"name": "readme.txt"
},
"tags": []
}
Modules§
Structs§
- The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
- An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
- The
base
field set contains all fields which are at the root of the events. These fields are common across all types of events. - A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
- Fields related to the cloud or infrastructure the events are coming from.
- These fields contain information about binary code signatures.
- Container fields are used for meta information about the specific container that is the source of information.
- The data_stream fields take part in defining the new data stream naming scheme.
- Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
- Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.
- These fields contain information about code libraries dynamically loaded into processes.
- Fields describing DNS queries and answers.
- Meta-information specific to ECS.
- These fields contain Linux Executable Linkable Format (ELF) metadata.
- Event details relating to an email transaction.
- These fields can represent errors of any kind.
- The event fields are used for context information about the log or metric event itself.
- The user fields describe information about the function as a service (FaaS) that is relevant to the event.
- A file is defined as a set of information that has been created on, or has existed on a filesystem.
- Geo fields can carry data about a specific location related to an event.
- The group fields are meant to represent groups that are relevant to the event.
- The hash fields represent different bitwise hash algorithms and their values.
- A host is defined as a general computing instance.
- Fields related to HTTP activity. Use the
url
field set to store the url of the request. - The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
- Details about the event’s logging mechanism or logging transport.
- These fields contain Mac OS Mach Object file format (Mach-O) metadata.
- The network is defined as the communication path over which a host or network event happens.
- An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
- Fields that describe the resources which container orchestrators manage or act upon.
- The organization fields enrich data with information about the company or entity the data is associated with.
- The OS fields contain information about the operating system.
- These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
- These fields contain Windows Portable Executable (PE) metadata.
- These fields contain information about a process.
- Fields related to Windows Registry operations.
- This field set is meant to facilitate pivoting around a piece of data.
- Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under
event.*
. Please continue to useevent.risk_score
andevent.risk_score_norm
for event risk. - Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
- A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.
- The service fields describe the service for or from which the data was collected.
- Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
- Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
- Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
- URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
- The user fields describe information about the user that is relevant to the event.
- The user_agent fields normally come from a browser request.
- The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection.
- The vulnerability fields describe information about a vulnerability that is relevant to an event.
- This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.