ECS Categorization Field: event.kind
editECS Categorization Field: event.kind
editThis is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
event.kind
gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
After the beta period for categorization, only the allowed categorization values listed in the ECS repository and official ECS documentation should be considered official. Use of any other values may result in incompatible implementations that will require subsequent breaking changes.
Allowed Values
alert
editThis value indicates an event that describes an alert or notable event, triggered by a detection rule.
event.kind:alert
is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and so on.
event
editThis value is the most general and most common value for this field. It is used to represent events that indicate that something happened.
metric
editThis value is used to indicate that this event that a numeric measurement was taken at given point in time.
Examples include CPU utilization, memory usage, or a vulnerability scan result.
Metric events are often collected on a predictable frequency, such as once every few seconds, or once a minute.
state
editThis value is similar to metric, except that the entity being measured does not provide a numeric metric value, but rather one of a fixed set of conditions or states. For example a periodic event reporting a "fin_wait" state of a TCP connection on a host might use event.type:state
.
pipeline_error
editThis value indicates that an error occurred during the ingestion of this event, and that event data may be missing, inconsistent, or incorrect. event.kind:pipeline_error
is often associated with parsing errors.
signal
editThis value is used by the Elastic SIEM app to denote an Elasticsearch document that was created by a SIEM detection engine rule.
A signal will typically trigger a notification that something meaningful happened and should be investigated.
Usage of this value is reserved, and pipelines should not populate event.kind
with the value "signal".