field event.action can be found in Discover and Security module, my question is where can I find a document explains event.action includes how many and what actions? Like Winlogbeat\module\security\ingest\security.yml, explains every Windows Security events.
Here is a list of the ECS fields and a short description of each: Event Fields | Elastic Common Schema (ECS) Reference [8.11] | Elastic
Specifically, for event.action, it lists the following:
The action captured by the event.
This describes the information in the event. It is more specific thanevent.category. Examples aregroup-add,process-started,file-created. The value is normally defined by the implementer.
type: keyword
example:user-password-change
Appreciate for reply.
I've read this list before, it helped me to understand definitions and functions of each fields.
But my question is, is there a document focus on describing event.action, like what else actions besides user-password-change ?
There is no such document as the value of event.action can be anything.
As explained in the documentation already linked.
This describes the information in the event. It is more specific than
event.category. Examples aregroup-add,process-started,file-created. The value is normally defined by the implementer
So, the values for event.action on an specific event is choose by the team or person who implemented the parse for that specific event, in the case of Filebeat modules that creates the event.action fields, there probably some internal discussion in the team to choose which values will be used, or maybe someone from the community contributed to a Filebeat module and choose some values for event.action.
If you are parse some custom log, or something that does not have a Filebeat module, and you want to populate the event fields, like event.action you will need to choose the values you want to use for each event.
For example, I had some parse for the Cloudflare WAF logs, those logs have a field named Action, so I use the value of this field as the value for event.action, and those values could be something like block, log, bypass, challenged etc.
The fields that have some fixed values that you should always try to use them, are the categorization event fields, event.type, event.kind, event.category and event.outcome.
Those fields have some limitations on the values that you can use in them, if you want to integrated your data well with the Security module, for example, the event.outcome field should have only the values failure, success or unknown.
Appreciate. I got it.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.