Elastic Security ECS field reference

edit

Elastic Security ECS field reference

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

This section lists Elastic Common Schema (ECS) fields used by Elastic Security to provide an optimal SIEM and security analytics experience to users. These fields are used to display data, provide rule previews, enable detection by prebuilt detection rules, provide context during rule triage and investigation, escalate to cases, and more.

We recommend you use Elastic Agent integrations or Beats to ship your data to Elastic Security. Elastic Agent integrations and Beat modules (for example, Filebeat modules) are ECS-compliant, which means data they ship to Elastic Security will automatically populate the relevant ECS fields. If you plan to use a custom implementation to map your data to ECS fields (see how to map data to ECS), ensure the always required fields are populated. Ideally, all relevant ECS fields should be populated as well.

For detailed information about which ECS fields can appear in documents generated by Elastic Endpoint, refer to the Endpoint event documentation.

Always required fields
edit

Elastic Security requires all event and threat intelligence data to be normalized to ECS. For proper operation, all data must contain the following ECS fields:

  • @timestamp
  • ecs.version
  • event.kind
  • event.category
  • event.type
Fields required for process events
edit

Elastic Security relies on these fields to analyze and display process data:

  • process.name
  • process.pid
Fields required for host events
edit

Elastic Security relies on these fields to analyze and display host data:

  • host.name
  • host.id

Elastic Security may use these fields to display additional host data:

  • cloud.instance.id
  • cloud.machine.type
  • cloud.provider
  • cloud.region
  • host.architecture
  • host.ip
  • host.mac
  • host.os.family
  • host.os.name
  • host.os.platform
  • host.os.version
Authentication fieldsedit

Elastic Security relies on these fields and values to analyze and display host authentication data:

  • event.category:authentication
  • event.outcome:success or event.outcome:failure

Elastic Security may also use this field to display additional host authentication data:

  • user.name
Uncommon process fieldsedit

Elastic Security relies on this field to analyze and display host uncommon process data:

  • process.name

Elastic Security may also use these fields to display uncommon process data:

  • agent.type
  • event.action
  • event.code
  • event.dataset
  • event.module
  • process.args
  • user.id
  • user.name
Fields required for network events
edit

Elastic Security relies on these fields to analyze and display network data:

  • destination.geo.location (required for display of map data)
  • destination.ip
  • source.geo.location (required to display map data)
  • source.ip

Elastic Security may also use these fields to analyze and display network data:

  • destination.as.number
  • destination.as.organization.name
  • destination.bytes
  • destination.domain
  • destination.geo.country_iso_code
  • source.as.number
  • source.as.organization.name
  • source.bytes
  • source.domain
  • source.geo.country_iso_code
DNS query fieldsedit

Elastic Security relies on these fields to analyze and display DNS data:

  • dns.question.name
  • dns.question.registered_domain

Elastic Security may also use this field to display DNS data:

  • dns.question.type

    If you want to be able to filter out PTR records, make sure relevant events have dns.question.type fields with values of PTR.

HTTP request fieldsedit

Elastic Security relies on these fields to analyze and display HTTP request data:

  • http.request.method
  • http.response.status_code
  • url.domain
  • url.path
TLS fieldsedit

Elastic Security relies on this field to analyze and display TLS data:

  • tls.server.hash.sha1

Elastic Security may also use these fields to analyze and display TLS data:

  • tls.server.issuer
  • tls.server.ja3s
  • tls.server.not_after
  • tls.server.subject
Fields required for events and external alerts
edit

Elastic Security relies on this field to analyze and display event and external alert data:

  • event.kind

    For external alerts, the event.kind field’s value must be alert.

Elastic Security may also use these fields to analyze and display event and external alert data:

  • destination.bytes
  • destination.geo.city_name
  • destination.geo.continent_name
  • destination.geo.country_iso_code
  • destination.geo.country_name
  • destination.geo.region_iso_code
  • destination.geo.region_name
  • destination.ip
  • destination.packets
  • destination.port
  • dns.question.name
  • dns.question.type
  • dns.resolved_ip
  • dns.response_code
  • event.action
  • event.code
  • event.created
  • event.dataset
  • event.duration
  • event.end
  • event.hash
  • event.id
  • event.module
  • event.original
  • event.outcome
  • event.provider
  • event.risk_score_norm
  • event.risk_score
  • event.severity
  • event.start
  • event.timezone
  • file.ctime
  • file.device
  • file.extension
  • file.gid
  • file.group
  • file.inode
  • file.mode
  • file.mtime
  • file.name
  • file.owner
  • file.path
  • file.size
  • file.target_path
  • file.type
  • file.uid
  • host.id
  • host.ip
  • http.request.body.bytes
  • http.request.body.content
  • http.request.method
  • http.request.referrer
  • http.response.body.bytes
  • http.response.body.content
  • http.response.status_code
  • http.version
  • message
  • network.bytes
  • network.community_id
  • network.direction
  • network.packets
  • network.protocol
  • network.transport
  • pe.original_file_name
  • process.args
  • process.executable
  • process.hash.md5
  • process.hash.sha1
  • process.hash.sha256
  • process.name
  • process.parent.executable
  • process.parent.name
  • process.pid
  • process.ppid
  • process.title
  • process.working_directory
  • rule.reference
  • source.bytes
  • source.geo.city_name
  • source.geo.continent_name
  • source.geo.country_iso_code
  • source.geo.country_name
  • source.geo.region_iso_code
  • source.geo.region_name
  • source.ip
  • source.packets
  • source.port
  • user.domain
  • user.name