elastic · ruflin · Jun 22, 2018 · Jun 19, 2018 · Jun 19, 2018 · Jun 19, 2018
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file based on the
 ### Bugfixes
 
 ### Added
+* Add `event.action` field. #21
 * Adds cloud.account.id for top level organizational level. #11
 * Add `http.response.status_code` and `http.response.body` fields. #4
 * Add fields for Operating System data. #5

diff --git a/README.md b/README.md
@@ -165,6 +165,7 @@ The event fields are used for context information about the data itself.
 | <a name="event.id"></a>`event.id`  | Unique ID to describe the event.  | keyword  |   | `8a4f500d`  |
 | <a name="event.category"></a>`event.category`  | Event category.<br/>This can be a user defined category.  | keyword  |   | `metrics`  |
 | <a name="event.type"></a>`event.type`  | A type given to this kind of event which can be used for grouping.<br/>This is normally defined by the user.  | keyword  |   | `nginx-stats-metrics`  |
+| <a name="event.action"></a>`event.action`  | The action captured by the event. The type of action will vary from system to system but is likely to include actions by security services, such as blocking or quarantining; as well as more generic actions such as login events, file i/o or proxy forwarding events.<br/>The value is normally defined by the user.  | keyword  |   | `reject`  |
 | <a name="event.module"></a>`event.module`  | Name of the module this data is coming from.<br/>This information is coming from the modules used in Beats or Logstash.  | keyword  |   | `mysql`  |
 | <a name="event.dataset"></a>`event.dataset`  | Name of the dataset.<br/>The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name.  | keyword  |   | `stats`  |
 | <a name="event.severity"></a>`event.severity`  | Severity describes the severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events.  | long  |   | `7`  |

diff --git a/schema.csv b/schema.csv
@@ -37,6 +37,7 @@ device.version,keyword,0,
 error.code,keyword,0,
 error.id,keyword,0,
 error.message,text,0,
+event.action,keyword,0,reject
 event.category,keyword,0,metrics
 event.created,date,0,
 event.dataset,keyword,0,stats

diff --git a/schemas/event.yml b/schemas/event.yml
@@ -27,6 +27,17 @@
         This is normally defined by the user.
       example: nginx-stats-metrics
 
+    - name: action
+      type: keyword
+      description: >
+        The action captured by the event. The type of action will vary from
+        system to system but is likely to include actions by security services,
+        such as blocking or quarantining; as well as more generic actions such
+        as login events, file i/o or proxy forwarding events.
+
+        The value is normally defined by the user.
+      example: reject
+
     - name: module
       type: keyword
       description: >

diff --git a/template.json b/template.json
@@ -204,6 +204,10 @@
         },
         "event": {
           "properties": {
+            "action": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "category": {
               "ignore_above": 1024,
               "type": "keyword"