[[ecs-field-reference]] == {ecs} Field Reference This is the documentation of ECS version 8.7.0-dev. ECS defines multiple groups of related fields. They are called "field sets". The <> field set is the only one whose fields are defined at the root of the event. All other field sets are defined as objects in {es}, under which all fields are defined. For a single page representation of all fields, please see the {ecs_github_repo_link}/generated/csv/fields.csv[generated CSV of fields]. [float] [[ecs-fieldsets]] === Field Sets [cols="<,<",options="header",] |===== | Field Set | Description | <> | All fields defined directly at the root of the events. | <> | Fields about the monitoring agent. | <> | Fields describing an Autonomous System (Internet routing prefix). | <> | Fields about the client side of a network connection, used with server. | <> | Fields about the cloud resource. | <> | These fields contain information about binary code signatures. | <> | Fields describing the container that generated this event. | <> | The data_stream fields take part in defining the new data stream naming scheme. | <> | Fields about the destination side of a network connection, used with source. | <> | Fields characterizing a (mobile) device a process or application is running on. | <> | These fields contain information about code libraries dynamically loaded into processes. | <> | Fields describing DNS queries and answers. | <> | Meta-information specific to ECS. | <> | These fields contain Linux Executable Linkable Format (ELF) metadata. | <> | Describes an email transaction. | <> | Fields about errors of any kind. | <> | Fields breaking down the event details. | <> | Fields describing functions as a service. | <> | Fields describing files. | <> | Fields describing a location. | <> | User's group relevant to the event. | <> | Hashes, usually file hashes. | <> | Fields describing the relevant computing instance. | <> | Fields describing an HTTP request. | <> | Fields to describe observer interface information. | <> | Details about the event's logging mechanism. | <> | These fields contain Mac OS Mach Object file format (Mach-O) metadata. | <> | Fields describing the communication path over which the event happened. | <> | Fields describing an entity observing the event from outside the host. | <> | Fields relevant to container orchestrators. | <> | Fields describing the organization or company the event is associated with. | <> | OS fields contain information about the operating system. | <> | These fields contain information about an installed software package. | <> | These fields contain Windows Portable Executable (PE) metadata. | <> | These fields contain information about a process. | <> | Fields related to Windows Registry operations. | <> | Fields meant to facilitate pivoting around a piece of data. | <> | Fields for describing risk score and level. | <> | Fields to capture details about rules used to generate alerts or other notable events. | <> | Fields about the server side of a network connection, used with client. | <> | Fields describing the service for or from which the data was collected. | <> | Fields about the source side of a network connection, used with destination. | <> | Fields to classify events and alerts according to a threat taxonomy. | <> | Fields describing a TLS connection. | <> | Fields related to distributed tracing. | <> | Fields that let you store URLs in various forms. | <> | Fields to describe the user relevant to the event. | <> | Fields to describe a browser user_agent string. | <> | Fields to describe observed VLAN information. | <> | Fields to describe the vulnerability relevant to an event. | <> | These fields contain x509 certificate metadata. |===== include::field-details.asciidoc[]