Host Fields
Overview
The host entity represents a single physical or virtual device involved in an event. It provides a normalized view of system identity, addressing, and contextual attributes that characterize the device generating, receiving, or otherwise associated with the event.
Design and Usage
The host entity models device-level properties independently of vendor-specific terminology to maintain consistent interpretation across diverse telemetry sources. It supports scenarios where only one device is relevant to the event, such as endpoint activity, security detections, or system state reporting. When paired with other directional entities in networked events, host fields help clarify event semantics and maintain relational integrity.
Common Use Cases
- Describing the system where an action occurred when no network source or destination is applicable
- Normalizing device attributes such as hostname, operating system information, or hardware identifiers
- Supporting attribution and correlation across event types through stable identifiers
Implementation Notes
As a top-level entity, host defines a coherent object representing a singular device. Its fields are designed to accommodate physical hosts, virtual machines, and partitioned systems without implying a specific platform or technology. Host attributes should be included whenever a device is implied but no directional role is established, ensuring consistent modeling across event categories.
| field | field_type | description | example_values |
|---|---|---|---|
|
host_device |
keyword |
Identifier representing a hardware or logical device associated with the host. |
\Device\HarddiskVolume2 |
|
host_hostname |
keyword/lowercase |
Name assigned to the host, including NetBIOS or DNS forms. |
corpdc01, corpdc01.local, lab01.corpdomain.com |
|
host_id |
keyword |
Unique identifier assigned to the host by the operating system or platform. |
|
|
host_ip |
ip |
IP address assigned to the host, supporting both IPv4 and IPv6. |
10.1.2.3, fe80:5cc3:11:4::2c |
|
host_ipv6 |
ip |
IPv6 address associated with the host. |
fe80:5cc3:11:4::2c |
|
host_mac |
keyword |
Link-layer hardware address of the host. |
02:a1:f9:c2:d5:04 |
|
host_reference |
keyword/lowercase |
Canonical host reference value derived from available identifiers (e.g., host_hostname, host_ip) to support consistent attribution - CIDR search will not work against this field. |
127.0.0.1, corpdc01, corpdc01.local, lab01.corpdomain.com |
|
host_region |
keyword |
Geographic or logical region associated with the host, including service-assigned region values distinct from geolocation fields. |
us-east-1 |
|
host_type_version |
keyword |
Version information describing the operating system running on the host. |
|
|
host_virtfw_hostname |
keyword/lowercase |
For firewalls that operate as partitioned services this is the name of the logical device. |
|
|
host_virtfw_id |
keyword |
For firewalls that operate as partitioned services this is the ID value of the logical device. |
|
|
host_virtfw_uid |
keyword |
Unique identifier such as a UUID value representing a virtual host. |
|
|
host_vm_name |
keyword |
Virtual system name (not to be confused with the hostname). |
