ECS Categorization Fieldsedit

This section of ECS is in beta and is subject to change. These allowed values are still under active development. Additional values will be published gradually, and some of the values or relationships described here may change. Users who want to provide feedback, or who want to have a look at upcoming allowed values can visit this public feedback document https://ela.st/ecs-categories-draft.

At a high level, ECS provides fields to classify events in two different ways: "Where it’s from" (e.g., event.module, event.dataset, agent.type, observer.type, etc.), and "What it is." The categorization fields hold the "What it is" information, independent of the source of the events.

ECS defines four categorization fields for this purpose, each of which falls under the event.* field set.

Categorization Fieldsedit

If your events don’t match any of these categorization values, you should leave the fields empty. This will ensure you can start populating the fields once the appropriate categorization values are published, in a later release.