Destination Fieldsedit

Destination fields describe details about the destination of a packet/event.

Destination fields are usually populated in conjunction with source fields.

Destination Field Detailsedit

FieldDescriptionLevel

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field.

Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

extended

destination.bytes

Bytes sent from the destination to the source.

type: long

example: 184

core

destination.domain

Destination domain.

type: keyword

core

destination.ip

IP address of the destination.

Can be one or multiple IPv4 or IPv6 addresses.

type: ip

core

destination.mac

MAC address of the destination.

type: keyword

core

destination.packets

Packets sent from the destination to the source.

type: long

example: 12

core

destination.port

Port of the destination.

type: long

core

Field Reuseedit

Field sets that can be nested under Destinationedit

Nested fieldsDescription

destination.geo.*

Fields describing a location.

destination.user.*

Fields to describe the user relevant to the event.