Elastic Security ECS field reference
editElastic Security ECS field reference
editThis section lists ECS fields Elastic Security uses to display data.
It is recommended to use Beats to ship your data. Beat modules (for example, Filebeat modules) are ECS-compliant so manual field mapping is not required, and all Elastic Security app data is automatically populated. If you cannot use Beats, map your data to ECS fields (see how to map data to ECS). You can also try using the experimental ECS Mapper tool.
Host fields
editThese fields must be mapped to display host data in the Elastic Security app:
-
@timestamp
-
host.name
These fields can be mapped to display additional host data in the Elastic Security app:
-
cloud.instance.id
-
cloud.machine.type
-
cloud.provider
-
cloud.region
-
host.architecture
-
host.id
-
host.ip
-
host.mac
-
host.os.family
-
host.os.name
-
host.os.platform
-
host.os.version
Authentication fields
editThese fields must be mapped to display host authentication data in the Elastic Security app:
-
event.category
To display authentication data in the Elastic Security app, you must map authentication events to the
event.category
field with a value ofauthentication
. -
event.outcome
This field can be mapped to display additional host authentication data in the Elastic Security app:
-
user.name
Uncommon process fields
editThis field must be mapped to display host uncommon process data in the Elastic Security app:
-
process.name
These fields can be mapped to display additional uncommon process data in the Elastic Security app:
-
agent.type
-
event.action
-
event.category
-
event.code
-
event.dataset
-
event.module
-
process.args
-
user.id
-
user.name
Network fields
editThese fields must be mapped to display network data in the Elastic Security app:
-
@timestamp
-
destination.geo.location
(required for displaying map data) -
destination.ip
-
source.geo.location
(required for displaying map data) -
source.ip
These fields can be mapped to display additional network data in the Elastic Security app:
-
destination.as.number
-
destination.as.organization.name
-
destination.bytes
-
destination.domain
-
destination.geo.country_iso_code
-
source.as.number
-
source.as.organization.name
-
source.bytes
-
source.domain
-
source.geo.country_iso_code
DNS query fields
editThese fields must be mapped to display DNS data in the Elastic Security app:
-
dns.question.name
-
dns.question.registered_domain
This field can be mapped to display additional DNS data in the Elastic Security app:
-
dns.question.type
If you want to be able to filter out PTR records, make sure relevant events populate the
dns.question.type
field with a value ofPTR
.
HTTP request fields
editThese fields must be mapped to display HTTP request data in the Elastic Security app:
-
http.request.method
-
http.response.status_code
-
url.domain
-
url.path
TLS fields
editThis field must be mapped to display TLS data in the Elastic Security app:
-
tls.server.hash.sha1
These fields can be mapped to display additional TLS data in the Elastic Security app:
-
tls.server.issuer
-
tls.server.ja3s
-
tls.server.not_after
-
tls.server.subject
Event and external alert fields
editThese fields must be mapped to display event and external alert data in the Elastic Security app:
-
@timestamp
-
event.kind
For external alerts, the
event.kind
field value must bealert
.
These fields can be mapped to display additional event and external alert data in the Elastic Security app:
-
destination.bytes
-
destination.geo.city_name
-
destination.geo.continent_name
-
destination.geo.country_iso_code
-
destination.geo.country_name
-
destination.geo.region_iso_code
-
destination.geo.region_name
-
destination.ip
-
destination.packets
-
destination.port
-
dns.question.name
-
dns.question.type
-
dns.resolved_ip
-
dns.response_code
-
event.action
-
event.category
-
event.code
-
event.created
-
event.dataset
-
event.duration
-
event.end
-
event.hash
-
event.id
-
event.module
-
event.original
-
event.outcome
-
event.provider
-
event.risk_score_norm
-
event.risk_score
-
event.severity
-
event.start
-
event.timezone
-
event.type
-
file.ctime
-
file.device
-
file.extension
-
file.gid
-
file.group
-
file.inode
-
file.mode
-
file.mtime
-
file.name
-
file.owner
-
file.path
-
file.size
-
file.target_path
-
file.type
-
file.uid
-
host.id
-
host.ip
-
http.request.body.bytes
-
http.request.body.content
-
http.request.method
-
http.request.referrer
-
http.response.body.bytes
-
http.response.body.content
-
http.response.status_code
-
http.version
-
message
-
network.bytes
-
network.community_id
-
network.direction
-
network.packets
-
network.protocol
-
network.transport
-
pe.original_file_name
-
process.args
-
process.executable
-
process.hash.md5
-
process.hash.sha1
-
process.hash.sha256
-
process.name
-
process.parent.executable
-
process.parent.name
-
process.pid
-
process.ppid
-
process.title
-
process.working_directory
-
rule.reference
-
source.bytes
-
source.geo.city_name
-
source.geo.continent_name
-
source.geo.country_iso_code
-
source.geo.country_name
-
source.geo.region_iso_code
-
source.geo.region_name
-
source.ip
-
source.packets
-
source.port
-
user.domain
-
user.name