diff --git a/intelmq/bots/experts/ecs/expert.py b/intelmq/bots/experts/ecs/expert.py
new file mode 100644
index 0000000000..ccaadde200
--- /dev/null
+++ b/intelmq/bots/experts/ecs/expert.py
@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2021 Birger Schacht
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+import json
+from intelmq.lib.bot import Bot
+
+
+class ECSExpertBot(Bot):
+    """Write some fields to the output field in ECS format"""
+
+    def process(self):
+        msg = self.receive_message()
+
+        ecs = {}
+
+        # If the event source has no original timestamp, this value is
+        # typically populated by the first time the event was received by the
+        # pipeline.
+        # (https://www.elastic.co/guide/en/ecs/current/ecs-base.html)
+        ecs['@timestamp'] = msg['time.source'] if 'time.source' in msg else msg['time.observation']
+
+        if 'feed.provider' in msg:
+            ecs['event.provider'] = msg['feed.provider']
+        if 'source.ip' in msg:
+            ecs['server.ip'] = msg['source.ip']
+        if 'source.fqdn' in msg:
+            ecs['server.domain'] = msg['source.fqdn']
+        if 'feed.name' in msg:
+            ecs['event.dataset'] = msg['feed.name']
+
+        msg.add("output", json.dumps(ecs))
+
+        self.send_message(msg)
+        self.acknowledge_message()
+
+
+BOT = ECSExpertBot