Application Fields
Overview
The application fields describe software or services referenced within event log messages. An application represents any logical or executable component identified in telemetry, from user-facing programs and APIs to infrastructure-level services such as web servers, databases, or authentication daemons. These fields capture descriptive and behavioral properties of the application as observed in the event context.
The application entity follows a hierarchical modeling pattern, where the prefix application represents the logical object, and each field suffix defines one of its measurable or identifying attributes.
Design and Usage
The application fields are top-level and are not appended to other entities. They describe the application as a distinct object involved in an event, whether as a traffic endpoint, authentication target, or monitored service.
Key design principles include:
- Conceptual clarity: Represents the notion of an "application" across diverse telemetry sources.
- Cross-domain applicability: Supports both host-based and network-derived event data.
- Behavioral context: Captures operational or transactional characteristics of an application.
- Descriptive consistency: Maintains uniform naming conventions across entities and products.
Common Use Cases
- Application activity analysis: Identify which applications are being accessed, executed, or monitored in event data.
- Performance measurement: Analyze response times and availability trends across monitored services.
- Access tracking: Correlate application references with user or process events to understand utilization and dependencies.
- Policy enforcement validation: Monitor specific applications for compliance with usage or authorization rules.
Implementation Notes
The application entity provides a normalized reference for any software or service described in event logs. It is flexible enough to accommodate data from both infrastructure monitoring systems and application-layer telemetry while maintaining semantic consistency across different platforms and event types.
| field | field_type | description | example_values |
|---|---|---|---|
|
application_name |
keyword/lowercase |
Name of the application, this can be a layer 7 application name for network traffic, the name of an authenticating service/program for authentication, etc. |
Facebook, SQL, windows_rdp |
|
application_response_time |
keyword |
Amount of time Applications Take to give response to a request. |
0 |
|
application_sso_signonmode |
keyword |
For Single Sign-On (SSO) events this is the method used to access the application. |
- |
