---
mapped_pages:
  - https://www.elastic.co/guide/en/security/current/siem-field-reference.html
  - https://www.elastic.co/guide/en/serverless/current/security-siem-field-reference.html
applies_to:
  stack: all
  serverless:
    security: all
products:
  - id: security
  - id: cloud-serverless
---

# Elastic Security ECS field reference [siem-field-reference]

This section lists [Elastic Common Schema](ecs://reference/index.md) fields that provide an optimal SIEM and security analytics experience to users. These fields are used to display data, provide rule previews, enable detection by prebuilt detection rules, provide context during rule triage and investigation, escalate to cases, and more.

::::{important}
We recommend you use {{agent}} integrations or {{beats}}  to ship your data to {{elastic-sec}}. {{agent}} integrations and Beat modules (for example, [{{filebeat}} modules](beats://reference/filebeat/filebeat-modules.md)) are ECS-compliant, which means data they ship to {{elastic-sec}} will automatically populate the relevant ECS fields. If you plan to use a custom implementation to map your data to ECS fields (see [how to map data to ECS](ecs://reference/ecs-converting.md)), ensure the [always required fields](#siem-always-required-fields) are populated. Ideally, all relevant ECS fields should be populated as well.
::::


For detailed information about which ECS fields can appear in documents generated by {{elastic-endpoint}}, refer to the [Endpoint event documentation](https://github.com/elastic/endpoint-package/tree/main/custom_documentation/doc/endpoint).


## Always required fields [siem-always-required-fields]

{{elastic-sec}} requires all event and threat intelligence data to be normalized to ECS.  For proper operation, all data must contain the following ECS fields:

* `@timestamp`
* `ecs.version`
* `event.kind`
* `event.category`
* `event.type`


## Fields required for process events [siem-required-process-event-fields]

{{elastic-sec}} relies on these fields to analyze and display process data:

* `process.name`
* `process.pid`


## Fields required for host events [siem-host-fields]

{{elastic-sec}} relies on these fields to analyze and display host data:

* `host.name`
* `host.id`

{{elastic-sec}} may use these fields to display additional host data:

* `cloud.instance.id`
* `cloud.machine.type`
* `cloud.provider`
* `cloud.region`
* `host.architecture`
* `host.ip`
* `host.mac`
* `host.os.family`
* `host.os.name`
* `host.os.platform`
* `host.os.version`


#### Authentication fields [_authentication_fields]

{{elastic-sec}} relies on these fields and values to analyze and display host authentication data:

* `event.category:authentication`
* `event.outcome:success` or `event.outcome:failure`

{{elastic-sec}} may also use this field to display additional host authentication data:

* `user.name`


#### Uncommon process fields [_uncommon_process_fields]

{{elastic-sec}} relies on this field to analyze and display host uncommon process data:

* `process.name`

{{elastic-sec}} may also use these fields to display uncommon process data:

* `agent.type`
* `event.action`
* `event.code`
* `event.dataset`
* `event.module`
* `process.args`
* `user.id`
* `user.name`


## Fields required for network events [siem-required-network-fields]

{{elastic-sec}} relies on these fields to analyze and display network data:

* `destination.geo.location` (required for display of [map data](/solutions/security/explore/configure-network-map-data.md))
* `destination.ip`
* `source.geo.location` (required to display map data)
* `source.ip`

{{elastic-sec}} may also use these fields to analyze and display network data:

* `destination.as.number`
* `destination.as.organization.name`
* `destination.bytes`
* `destination.domain`
* `destination.geo.country_iso_code`
* `source.as.number`
* `source.as.organization.name`
* `source.bytes`
* `source.domain`
* `source.geo.country_iso_code`


#### DNS query fields [_dns_query_fields]

{{elastic-sec}} relies on these fields to analyze and display DNS data:

* `dns.question.name`
* `dns.question.registered_domain`

{{elastic-sec}} may also use this field to display DNS data:

* `dns.question.type`

    ::::{note}
    If you want to be able to filter out PTR records, make sure relevant events have `dns.question.type` fields with values of `PTR`.
    ::::



#### HTTP request fields [_http_request_fields]

{{elastic-sec}} relies on these fields to analyze and display HTTP request data:

* `http.request.method`
* `http.response.status_code`
* `url.domain`
* `url.path`


#### TLS fields [_tls_fields]

{{elastic-sec}} relies on this field to analyze and display TLS data:

* `tls.server.hash.sha1`

{{elastic-sec}} may also use these fields to analyze and display TLS data:

* `tls.server.issuer`
* `tls.server.ja3s`
* `tls.server.not_after`
* `tls.server.subject`


## Fields required for events and external alerts [_fields_required_for_events_and_external_alerts]

{{elastic-sec}} relies on this field to analyze and display event and external alert data:

* `event.kind`

    ::::{note}
    For external alerts, the `event.kind` field’s value must be `alert`.
    ::::


{{elastic-sec}} may also use these fields to analyze and display event and external alert data:

* `destination.bytes`
* `destination.geo.city_name`
* `destination.geo.continent_name`
* `destination.geo.country_iso_code`
* `destination.geo.country_name`
* `destination.geo.region_iso_code`
* `destination.geo.region_name`
* `destination.ip`
* `destination.packets`
* `destination.port`
* `dns.question.name`
* `dns.question.type`
* `dns.resolved_ip`
* `dns.response_code`
* `event.action`
* `event.code`
* `event.created`
* `event.dataset`
* `event.duration`
* `event.end`
* `event.hash`
* `event.id`
* `event.module`
* `event.original`
* `event.outcome`
* `event.provider`
* `event.risk_score_norm`
* `event.risk_score`
* `event.severity`
* `event.start`
* `event.timezone`
* `file.ctime`
* `file.device`
* `file.extension`
* `file.gid`
* `file.group`
* `file.inode`
* `file.mode`
* `file.mtime`
* `file.name`
* `file.owner`
* `file.path`
* `file.size`
* `file.target_path`
* `file.type`
* `file.uid`
* `host.id`
* `host.ip`
* `http.request.body.bytes`
* `http.request.body.content`
* `http.request.method`
* `http.request.referrer`
* `http.response.body.bytes`
* `http.response.body.content`
* `http.response.status_code`
* `http.version`
* `message`
* `network.bytes`
* `network.community_id`
* `network.direction`
* `network.packets`
* `network.protocol`
* `network.transport`
* `pe.original_file_name`
* `process.args`
* `process.executable`
* `process.hash.md5`
* `process.hash.sha1`
* `process.hash.sha256`
* `process.name`
* `process.parent.executable`
* `process.parent.name`
* `process.pid`
* `process.ppid`
* `process.title`
* `process.working_directory`
* `rule.reference`
* `source.bytes`
* `source.geo.city_name`
* `source.geo.continent_name`
* `source.geo.country_iso_code`
* `source.geo.country_name`
* `source.geo.region_iso_code`
* `source.geo.region_name`
* `source.ip`
* `source.packets`
* `source.port`
* `user.domain`
* `user.name`