Crate ecs_types

Usage example

use ecs_types::types::Timestamp;
use ecs_types::*;
use serde_json::json;
 
let now: Timestamp = chrono::offset::Local::now().into();
let mut base = Base::new(now.clone());
let mut file = File::default();
file.set_name("readme.txt".into());
file.set_mtime(now);
 
base.with_file(file);
println!("{}", serde_json::to_string_pretty(&json!(base)).unwrap() );

creates the following result:

{
  "@timestamp": 1669822098181,
  "file": {
    "attributes": [],
    "mtime": 1669822098181,
    "name": "readme.txt"
  },
  "tags": []
}

Modules

types

Structs

Agent

The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.

As

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.

Base

The base field set contains all fields which are at the root of the events. These fields are common across all types of events.

Client

A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.

Cloud

Fields related to the cloud or infrastructure the events are coming from.

CodeSignature

These fields contain information about binary code signatures.

Container

Container fields are used for meta information about the specific container that is the source of information.

DataStream

The data_stream fields take part in defining the new data stream naming scheme.

Destination

Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.

Device

Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.

Dll

These fields contain information about code libraries dynamically loaded into processes.

Dns

Fields describing DNS queries and answers.

Ecs

Meta-information specific to ECS.

Elf

These fields contain Linux Executable Linkable Format (ELF) metadata.

Email

Event details relating to an email transaction.

Error

These fields can represent errors of any kind.

Event

The event fields are used for context information about the log or metric event itself.

Faas

The user fields describe information about the function as a service (FaaS) that is relevant to the event.

File

A file is defined as a set of information that has been created on, or has existed on a filesystem.

Geo

Geo fields can carry data about a specific location related to an event.

Group

The group fields are meant to represent groups that are relevant to the event.

Hash

The hash fields represent different bitwise hash algorithms and their values.

Host

A host is defined as a general computing instance.

Http

Fields related to HTTP activity. Use the url field set to store the url of the request.

Interface

The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.

Log

Details about the event’s logging mechanism or logging transport.

Macho

These fields contain Mac OS Mach Object file format (Mach-O) metadata.

Network

The network is defined as the communication path over which a host or network event happens.

Observer

An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.

Orchestrator

Fields that describe the resources which container orchestrators manage or act upon.

Organization

The organization fields enrich data with information about the company or entity the data is associated with.

Os

The OS fields contain information about the operating system.

Package

These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.

Pe

These fields contain Windows Portable Executable (PE) metadata.

Process

These fields contain information about a process.

Registry

Fields related to Windows Registry operations.

Related

This field set is meant to facilitate pivoting around a piece of data.

Risk

Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under event.*. Please continue to use event.risk_score and event.risk_score_norm for event risk.

Rule

Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.

Server

A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.

Service

The service fields describe the service for or from which the data was collected.

Source

Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.

Threat

Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.

Tls

Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.

Url

URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.

User

The user fields describe information about the user that is relevant to the event.

UserAgent

The user_agent fields normally come from a browser request.

Vlan

The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection.

Vulnerability

The vulnerability fields describe information about a vulnerability that is relevant to an event.

X509

This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.