diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3da5f57e80..31ef690df5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file based on the
### Added
* Add `host.name` field and clarify usage of `host.hostname`.
+* Add `event.start` and `event.end` date fields.
### Improvements
diff --git a/README.md b/README.md
index 16d6878f14..2e0365642e 100644
--- a/README.md
+++ b/README.md
@@ -200,8 +200,10 @@ The event fields are used for context information about the data itself.
| event.severity | Severity describes the severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. | core | long | `7` |
| event.original | Raw text message of entire event. Used to demonstrate log integrity.
This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | core | keyword | `Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232` |
| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | extended | keyword | `123456789012345678901234567890ABCD` |
-| event.duration | Duration of the event in nanoseconds. | core | long | |
+| event.duration | Duration of the event in nanoseconds.
If event.start and event.end are known this value should be the difference between the end and start time. | core | long | |
| event.created | event.created contains the date when the event was created.
This timestamp is distinct from @timestamp in that @timestamp contains the processed timestamp. For logs these two timestamps can be different as the timestamp in the log line and when the event is read for example by Filebeat are not identical. `@timestamp` must contain the timestamp extracted from the log line, event.created when the log line is read. The same could apply to package capturing where @timestamp contains the timestamp extracted from the network package and event.created when the event was created.
In case the two timestamps are identical, @timestamp should be used. | core | date | |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | extended | date | |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | extended | date | |
| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | core | float | |
| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100.
This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | extended | float | |
diff --git a/fields.yml b/fields.yml
index ab77bc50c6..4dd11d3f32 100644
--- a/fields.yml
+++ b/fields.yml
@@ -474,6 +474,9 @@
description: >
Duration of the event in nanoseconds.
+ If event.start and event.end are known this value should be the
+ difference between the end and start time.
+
- name: created
level: core
type: date
@@ -491,6 +494,20 @@
In case the two timestamps are identical, @timestamp should be used.
+ - name: start
+ level: extended
+ type: date
+ description: >
+ event.start contains the date when the event started or when the
+ activity was first observed.
+
+ - name: end
+ level: extended
+ type: date
+ description: >
+ event.end contains the date when the event ended or when the activity
+ was last observed.
+
- name: risk_score
level: core
type: float
diff --git a/schema.csv b/schema.csv
index 55cc80d097..9a1a4e891f 100644
--- a/schema.csv
+++ b/schema.csv
@@ -41,6 +41,7 @@ event.category,keyword,core,metrics
event.created,date,core,
event.dataset,keyword,core,stats
event.duration,long,core,
+event.end,date,extended,
event.hash,keyword,extended,123456789012345678901234567890ABCD
event.id,keyword,core,8a4f500d
event.module,keyword,core,mysql
@@ -48,6 +49,7 @@ event.original,keyword,core,Sep 19 08:26:10 host CEF:0|Security| threa
event.risk_score,float,core,
event.risk_score_norm,float,extended,
event.severity,long,core,7
+event.start,date,extended,
event.type,keyword,core,nginx-stats-metrics
file.ctime,date,extended,
file.device,keyword,extended,
diff --git a/schemas/event.yml b/schemas/event.yml
index ac8f725dc8..3b310cbd74 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -106,6 +106,9 @@
description: >
Duration of the event in nanoseconds.
+ If event.start and event.end are known this value should be the
+ difference between the end and start time.
+
- name: created
level: core
type: date
@@ -123,6 +126,20 @@
In case the two timestamps are identical, @timestamp should be used.
+ - name: start
+ level: extended
+ type: date
+ description: >
+ event.start contains the date when the event started or when the
+ activity was first observed.
+
+ - name: end
+ level: extended
+ type: date
+ description: >
+ event.end contains the date when the event ended or when the activity
+ was last observed.
+
- name: risk_score
level: core
type: float
diff --git a/template.json b/template.json
index 1332ea9dca..d550b633b8 100644
--- a/template.json
+++ b/template.json
@@ -215,6 +215,9 @@
"duration": {
"type": "long"
},
+ "end": {
+ "type": "date"
+ },
"hash": {
"ignore_above": 1024,
"type": "keyword"
@@ -242,6 +245,9 @@
"severity": {
"type": "long"
},
+ "start": {
+ "type": "date"
+ },
"type": {
"ignore_above": 1024,
"type": "keyword"