# Where could I find all fields content in event.action?

field `event.action` can be found in Discover and Security module, my question is where can I find a document explains `event.action` includes how many and what actions? Like `Winlogbeat\module\security\ingest\security.yml`, explains every Windows Security events.

Here is a list of the ECS fields and a short description of each: Event Fields | Elastic Common Schema (ECS) Reference [8.2] | Elastic

Specifically, for `event.action`, it lists the following:

The action captured by the event.
This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
type: keyword
example: `user-password-change`

I've read this list before, it helped me to understand definitions and functions of each fields.
But my question is, is there a document focus on describing `event.action`, like what else actions besides `user-password-change` ?

There is no such document as the value of `event.action` can be anything.

This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer

So, the values for `event.action` on an specific event is choose by the team or person who implemented the parse for that specific event, in the case of Filebeat modules that creates the `event.action` fields, there probably some internal discussion in the team to choose which values will be used, or maybe someone from the community contributed to a Filebeat module and choose some values for `event.action`.

If you are parse some custom log, or something that does not have a Filebeat module, and you want to populate the `event` fields, like `event.action` you will need to choose the values you want to use for each event.

For example, I had some parse for the Cloudflare WAF logs, those logs have a field named `Action`, so I use the value of this field as the value for `event.action`, and those values could be something like `block`, `log`, `bypass`, `challenged` etc.

The fields that have some fixed values that you should always try to use them, are the categorization event fields, `event.type`, `event.kind`, `event.category` and `event.outcome`.

Those fields have some limitations on the values that you can use in them, if you want to integrated your data well with the Security module, for example, the `event.outcome` field should have only the values `failure`, `success` or `unknown`.

Appreciate. I got it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.