elastic · ricardo-estc · Sep 16, 2025 · Sep 12, 2025 · Sep 12, 2025 · Sep 15, 2025
@@ -25,6 +25,11 @@ These fields are in beta and are subject to change.
 | $$$field-device-manufacturer$$$ [device.manufacturer](#field-device-manufacturer) | The vendor name of the device manufacturer.<br><br>type: keyword<br><br>example: `Samsung`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [device.manufacturer](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device/#device-manufacturer) | extended |
 | $$$field-device-model-identifier$$$ [device.model.identifier](#field-device-model-identifier) | The machine readable identifier of the device model.<br><br>type: keyword<br><br>example: `SM-G920F`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [device.model.identifier](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device/#device-model-identifier) | extended |
 | $$$field-device-model-name$$$ [device.model.name](#field-device-model-name) | The human readable marketing name of the device model.<br><br>type: keyword<br><br>example: `Samsung Galaxy S6`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [device.model.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device/#device-model-name) | extended |
+| $$$field-device-product-id$$$ [device.product.id](#field-device-product-id) | _This field is beta and subject to change._ A unique identifier assigned by the vendor to distinguish different product models. This is typically a hexadecimal value that, combined with the vendor ID, creates a globally unique device identifier.<br><br>The product ID is assigned by the device manufacturer and should remain consistent across all instances of the same product model. For hardware devices, this often corresponds to the Product ID (PID) in device descriptors.<br><br>See https://learn.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers for more details on product identification standards.<br><br>type: keyword<br><br>example: `43981` | extended |
+| $$$field-device-product-name$$$ [device.product.name](#field-device-product-name) | _This field is beta and subject to change._ The human-readable marketing or commercial name of the device as designated by the manufacturer. This name is typically found in product documentation, marketing materials, or device packaging.<br><br>Unlike the product.id which is a technical identifier, this field contains the consumer-facing product name that would be recognizable to end users. The name should be exactly as provided by the manufacturer and may include model numbers, series designations, or other identifying information.<br><br>type: keyword<br><br>example: `Extreme V2 SSD` | extended |
 | $$$field-device-serial-number$$$ [device.serial_number](#field-device-serial-number) | _This field is beta and subject to change._ The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication.<br><br>type: keyword<br><br>example: `DJGAQS4CW5` | core |
+| $$$field-device-type$$$ [device.type](#field-device-type) | _This field is beta and subject to change._ A classification of the device based on its primary function or device class. This field categorizes devices into functional groups to enable policy enforcement and monitoring based on device capabilities.<br><br>The classification should follow standard device class definitions where possible, such as "Storage Device", "Human Interface Device", "Audio", "Video", "Network", "Communication", etc. This allows for consistent categorization across different device types and manufacturers.<br><br>See https://www.usb.org/defined-class-codes for standard device class definitions.<br><br>type: keyword<br><br>example: `Storage Device` | extended |
+| $$$field-device-vendor-id$$$ [device.vendor.id](#field-device-vendor-id) | _This field is beta and subject to change._ A unique identifier assigned to device manufacturers by standards organizations. This is typically a hexadecimal value that uniquely identifies the vendor/manufacturer of the device.<br><br>The vendor ID is assigned by standards bodies and remains consistent across all products from the same manufacturer. For hardware devices, this often corresponds to the Vendor ID (VID) in device descriptors. This identifier enables tracking and policy enforcement at the manufacturer level.<br><br>See https://learn.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers for more information on vendor identification standards.<br><br>type: keyword<br><br>example: `4660` | extended |
+| $$$field-device-vendor-name$$$ [device.vendor.name](#field-device-vendor-name) | _This field is beta and subject to change._ The name of the organization or company that manufactured or produced the device. This should be the official registered business name or commonly recognized brand name of the manufacturer.<br><br>The vendor name provides human-readable identification of the device manufacturer and should be consistent with the vendor.id field. This field is useful for reporting, device inventory management, and applying vendor-specific policies or security rules.<br><br>type: keyword<br><br>example: `SanDisk` | extended |
 
 
@@ -38,7 +38,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | General Database | · | [14](https://opentelemetry.io/docs/specs/semconv/attributes-registry/db) | · | · | · | · | · | · |  |
 | Deployment | · | [4](https://opentelemetry.io/docs/specs/semconv/attributes-registry/deployment) | · | · | · | · | · | · |  |
 | Destination | [12](/reference/ecs-destination.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/destination) | 2 | · | · | · | · | · | · |
-| Device | [5](/reference/ecs-device.md) | [4](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device) | 4 | · | · | · | · | · | · |
+| Device | [10](/reference/ecs-device.md) | [4](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device) | 4 | · | · | · | · | · | · |
 | Disk | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/disk) | · | · | · | · | · | · |  |
 | DLL | [4](/reference/ecs-dll.md) | · | · | · | · | · | · | · | · |
 | DNS | [18](/reference/ecs-dns.md) | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns) | 1 | · | · | · | · | · | · |

@@ -1230,6 +1230,36 @@
       description: The human readable marketing name of the device model.
       example: Samsung Galaxy S6
       default_field: false
+    - name: product.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier assigned by the vendor to distinguish different
+        product models. This is typically a hexadecimal value that, combined with
+        the vendor ID, creates a globally unique device identifier.
+
+        The product ID is assigned by the device manufacturer and should remain consistent
+        across all instances of the same product model. For hardware devices, this
+        often corresponds to the Product ID (PID) in device descriptors.
+
+        See https://learn.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers
+        for more details on product identification standards.'
+      example: 43981
+      default_field: false
+    - name: product.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The human-readable marketing or commercial name of the device
+        as designated by the manufacturer. This name is typically found in product
+        documentation, marketing materials, or device packaging.
+
+        Unlike the product.id which is a technical identifier, this field contains
+        the consumer-facing product name that would be recognizable to end users.
+        The name should be exactly as provided by the manufacturer and may include
+        model numbers, series designations, or other identifying information.'
+      example: Extreme V2 SSD
+      default_field: false
     - name: serial_number
       level: core
       type: keyword
@@ -1238,6 +1268,53 @@
         device, aiding in inventory management and device authentication.
       example: DJGAQS4CW5
       default_field: false
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A classification of the device based on its primary function or
+        device class. This field categorizes devices into functional groups to enable
+        policy enforcement and monitoring based on device capabilities.
+
+        The classification should follow standard device class definitions where possible,
+        such as "Storage Device", "Human Interface Device", "Audio", "Video", "Network",
+        "Communication", etc. This allows for consistent categorization across different
+        device types and manufacturers.
+
+        See https://www.usb.org/defined-class-codes for standard device class definitions.'
+      example: Storage Device
+      default_field: false
+    - name: vendor.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier assigned to device manufacturers by standards
+        organizations. This is typically a hexadecimal value that uniquely identifies
+        the vendor/manufacturer of the device.
+
+        The vendor ID is assigned by standards bodies and remains consistent across
+        all products from the same manufacturer. For hardware devices, this often
+        corresponds to the Vendor ID (VID) in device descriptors. This identifier
+        enables tracking and policy enforcement at the manufacturer level.
+
+        See https://learn.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers
+        for more information on vendor identification standards.'
+      example: 4660
+      default_field: false
+    - name: vendor.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The name of the organization or company that manufactured or produced
+        the device. This should be the official registered business name or commonly
+        recognized brand name of the manufacturer.
+
+        The vendor name provides human-readable identification of the device manufacturer
+        and should be consistent with the vendor.id field. This field is useful for
+        reporting, device inventory management, and applying vendor-specific policies
+        or security rules.'
+      example: SanDisk
+      default_field: false
   - name: dll
     title: DLL
     group: 2

@@ -146,7 +146,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
 9.2.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
 9.2.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+9.2.0-dev+exp,true,device,device.product.id,keyword,extended,,43981,ProductID of the device
+9.2.0-dev+exp,true,device,device.product.name,keyword,extended,,Extreme V2 SSD,Product name of the device
 9.2.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
+9.2.0-dev+exp,true,device,device.type,keyword,extended,,Storage Device,Device type classification
+9.2.0-dev+exp,true,device,device.vendor.id,keyword,extended,,4660,VendorID of the device
+9.2.0-dev+exp,true,device,device.vendor.name,keyword,extended,,SanDisk,Vendor name of the device
 9.2.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 9.2.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 9.2.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process

@@ -1858,6 +1858,46 @@ device.model.name:
     stability: development
   short: The human readable marketing name of the device model.
   type: keyword
+device.product.id:
+  beta: This field is beta and subject to change.
+  dashed_name: device-product-id
+  description: 'A unique identifier assigned by the vendor to distinguish different
+    product models. This is typically a hexadecimal value that, combined with the
+    vendor ID, creates a globally unique device identifier.
+
+    The product ID is assigned by the device manufacturer and should remain consistent
+    across all instances of the same product model. For hardware devices, this often
+    corresponds to the Product ID (PID) in device descriptors.
+
+    See https://learn.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers
+    for more details on product identification standards.'
+  example: 43981
+  flat_name: device.product.id
+  ignore_above: 1024
+  level: extended
+  name: product.id
+  normalize: []
+  short: ProductID of the device
+  type: keyword
+device.product.name:
+  beta: This field is beta and subject to change.
+  dashed_name: device-product-name
+  description: 'The human-readable marketing or commercial name of the device as designated
+    by the manufacturer. This name is typically found in product documentation, marketing
+    materials, or device packaging.
+
+    Unlike the product.id which is a technical identifier, this field contains the
+    consumer-facing product name that would be recognizable to end users. The name
+    should be exactly as provided by the manufacturer and may include model numbers,
+    series designations, or other identifying information.'
+  example: Extreme V2 SSD
+  flat_name: device.product.name
+  ignore_above: 1024
+  level: extended
+  name: product.name
+  normalize: []
+  short: Product name of the device
+  type: keyword
 device.serial_number:
   beta: This field is beta and subject to change.
   dashed_name: device-serial-number
@@ -1871,6 +1911,68 @@ device.serial_number:
   normalize: []
   short: Serial Number of the device
   type: keyword
+device.type:
+  beta: This field is beta and subject to change.
+  dashed_name: device-type
+  description: 'A classification of the device based on its primary function or device
+    class. This field categorizes devices into functional groups to enable policy
+    enforcement and monitoring based on device capabilities.
+
+    The classification should follow standard device class definitions where possible,
+    such as "Storage Device", "Human Interface Device", "Audio", "Video", "Network",
+    "Communication", etc. This allows for consistent categorization across different
+    device types and manufacturers.
+
+    See https://www.usb.org/defined-class-codes for standard device class definitions.'
+  example: Storage Device
+  flat_name: device.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  short: Device type classification
+  type: keyword
+device.vendor.id:
+  beta: This field is beta and subject to change.
+  dashed_name: device-vendor-id
+  description: 'A unique identifier assigned to device manufacturers by standards
+    organizations. This is typically a hexadecimal value that uniquely identifies
+    the vendor/manufacturer of the device.
+
+    The vendor ID is assigned by standards bodies and remains consistent across all
+    products from the same manufacturer. For hardware devices, this often corresponds
+    to the Vendor ID (VID) in device descriptors. This identifier enables tracking
+    and policy enforcement at the manufacturer level.
+
+    See https://learn.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers
+    for more information on vendor identification standards.'
+  example: 4660
+  flat_name: device.vendor.id
+  ignore_above: 1024
+  level: extended
+  name: vendor.id
+  normalize: []
+  short: VendorID of the device
+  type: keyword
+device.vendor.name:
+  beta: This field is beta and subject to change.
+  dashed_name: device-vendor-name
+  description: 'The name of the organization or company that manufactured or produced
+    the device. This should be the official registered business name or commonly recognized
+    brand name of the manufacturer.
+
+    The vendor name provides human-readable identification of the device manufacturer
+    and should be consistent with the vendor.id field. This field is useful for reporting,
+    device inventory management, and applying vendor-specific policies or security
+    rules.'
+  example: SanDisk
+  flat_name: device.vendor.name
+  ignore_above: 1024
+  level: extended
+  name: vendor.name
+  normalize: []
+  short: Vendor name of the device
+  type: keyword
 dll.code_signature.digest_algorithm:
   dashed_name: dll-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.