Crate ecs_types

Source
Expand description

§Usage example

use ecs_types::types::Timestamp;
use ecs_types::*;
use serde_json::json;
 
let now: Timestamp = chrono::offset::Local::now().into();
let mut base = Base::new(now.clone());
let mut file = File::default();
file.set_name("readme.txt".into());
file.set_mtime(now);
 
base.with_file(file);
println!("{}", serde_json::to_string_pretty(&json!(base)).unwrap() );

creates the following result:

{
  "@timestamp": 1669822098181,
  "file": {
    "attributes": [],
    "mtime": 1669822098181,
    "name": "readme.txt"
  },
  "tags": []
}

Modules§

Structs§

  • The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
  • An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
  • The base field set contains all fields which are at the root of the events. These fields are common across all types of events.
  • A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
  • Fields related to the cloud or infrastructure the events are coming from.
  • These fields contain information about binary code signatures.
  • Container fields are used for meta information about the specific container that is the source of information.
  • The data_stream fields take part in defining the new data stream naming scheme.
  • Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
  • Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.
  • These fields contain information about code libraries dynamically loaded into processes.
  • Fields describing DNS queries and answers.
  • Meta-information specific to ECS.
  • These fields contain Linux Executable Linkable Format (ELF) metadata.
  • Event details relating to an email transaction.
  • These fields can represent errors of any kind.
  • The event fields are used for context information about the log or metric event itself.
  • The user fields describe information about the function as a service (FaaS) that is relevant to the event.
  • A file is defined as a set of information that has been created on, or has existed on a filesystem.
  • Geo fields can carry data about a specific location related to an event.
  • The group fields are meant to represent groups that are relevant to the event.
  • The hash fields represent different bitwise hash algorithms and their values.
  • A host is defined as a general computing instance.
  • Fields related to HTTP activity. Use the url field set to store the url of the request.
  • The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
  • Details about the event’s logging mechanism or logging transport.
  • These fields contain Mac OS Mach Object file format (Mach-O) metadata.
  • The network is defined as the communication path over which a host or network event happens.
  • An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
  • Fields that describe the resources which container orchestrators manage or act upon.
  • The organization fields enrich data with information about the company or entity the data is associated with.
  • The OS fields contain information about the operating system.
  • These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
  • These fields contain Windows Portable Executable (PE) metadata.
  • These fields contain information about a process.
  • Fields related to Windows Registry operations.
  • This field set is meant to facilitate pivoting around a piece of data.
  • Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*. Please continue to use event.risk_score and event.risk_score_norm for event risk.
  • Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
  • A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.
  • The service fields describe the service for or from which the data was collected.
  • Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
  • Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
  • Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
  • URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
  • The user fields describe information about the user that is relevant to the event.
  • The user_agent fields normally come from a browser request.
  • The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection.
  • The vulnerability fields describe information about a vulnerability that is relevant to an event.
  • This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.