Description
Modify message Description to include Alert rule names
Summary
The ECS message field description should be updated to clarify that it is not only for syslog-style logs but should also contain the name of the corresponding security rule, alert, or incident when applicable.
Motivation
Currently, the message field description primarily focuses on log events, describing it as the log message optimized for viewing. However, in security contexts, this field plays a critical role in surfacing key alerting information. Security detections, alerts, and incidents should populate message with their corresponding rule name, alert title, or incident name to provide better visibility in Elastic Security.
This enhancement will ensure a more consistent and meaningful use of the message field across security event sources.
Detailed Design
- Field Name:
message - Example Values:
- "Malicious PowerShell Execution - Suspicious Encoded Command"
- "Phishing Email Detected: Suspicious Domain in URL"
- "SentinelOne: Ransomware Activity Detected"
- "Office365 DLP Alert: Confidential Data Shared Externally"
- Suggested Data Type:
match_only_text - Example Events Mapped to the Proposed Use Case:
- Security detections in SIEM/XDR platforms
- EDR and NDR alerts
- Compliance violations and policy enforcement alerts
Proposed Updated Description:
For log events, the
messagefield contains the log message, optimized for viewing in a log viewer.For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
In security and detection events,
messageshould contain the name of the corresponding security rule, alert, or incident to enhance visibility and investigation efficiency.If multiple messages exist, they can be combined into one message.
Type:
match_only_text
Example: "Phishing Email Detected: Suspicious Domain in URL"