Geo Fieldsedit

Geo fields can carry data about a specific location related to an event.

This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.

Geo Field Detailsedit

Field Description Level

geo.city_name

City name.

type: keyword

example: Montreal

core

geo.continent_code

Two-letter code representing continent’s name.

type: keyword

example: NA

core

geo.continent_name

Name of the continent.

type: keyword

example: North America

core

geo.country_iso_code

Country ISO code.

type: keyword

example: CA

core

geo.country_name

Country name.

type: keyword

example: Canada

core

geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

core

geo.name

User-defined description of a location, at the level of granularity they care about.

Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.

Not typically used in automated geolocation.

type: keyword

example: boston-dc

extended

geo.postal_code

Postal code associated with the location.

Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.

type: keyword

example: 94040

core

geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

core

geo.region_name

Region name.

type: keyword

example: Quebec

core

geo.timezone

The time zone of the location, such as IANA time zone name.

type: keyword

example: America/Argentina/Buenos_Aires

core

Field Reuseedit

The geo fields are expected to be nested at:

  • client.geo
  • destination.geo
  • host.geo
  • observer.geo
  • server.geo
  • source.geo
  • threat.enrichments.indicator.geo
  • threat.indicator.geo

Note also that the geo fields are not expected to be used directly at the root of the events.