Elastic’s official ECS guidelines define Core fields as the fields most common across use cases and explicitly state that analysis content built on these fields should work properly on data from any relevant source. They also say to focus on populating these fields first . CrowdStrike’s CPS builds on ECS and is intended to standardize field names and structures across different data sources for consistent searching and analysis. Together, that makes Core fields the right answer when your goal is a consistent cross-source view.
Why the other options are incorrect:
Extended fields are useful, but ECS defines them as anything not in the core set, so they are not the primary normalization target for broad consistency.
Base fields and Detection fields are not the correct ECS field-type answer to this question as framed.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit