The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
« Create or update an external incident
Elastic Docs SIEM Guide [7.8]

SIEM field reference guide

edit

SIEM field reference guide

edit

This section lists ECS fields the SIEM app uses to display data.

It is recommended to use Beats to ship your data. Beat modules (for example, Filebeat modules) are ECS-compliant so manual field mapping is not required, and all SIEM app data is automatically populated. If you cannot use Beats, map your data to ECS fields (see how to map data to ECS). You can also try using the experimental ECS Mapper tool.

Host fields

edit

These fields must be mapped to display host data in the SIEM app:

  • @timestamp
  • host.name

These fields can be mapped to display additional host data in the SIEM app:

  • cloud.instance.id
  • cloud.machine.type
  • cloud.provider
  • cloud.region
  • host.architecture
  • host.id
  • host.ip
  • host.mac
  • host.os.family
  • host.os.name
  • host.os.platform
  • host.os.version

Authentication fields

edit

These fields must be mapped to display host authentication data in the SIEM app:

  • event.category

    To display authentication data in the SIEM app, you must map authentication events to the event.category field with a value of authentication.

  • event.outcome

This field can be mapped to display additional host authentication data in the SIEM app:

  • user.name

Uncommon process fields

edit

This field must be mapped to display host uncommon process data in the SIEM app:

  • process.name

These fields can be mapped to display additional uncommon process data in the SIEM app:

  • agent.type
  • event.action
  • event.category
  • event.code
  • event.dataset
  • event.module
  • process.args
  • user.id
  • user.name

Network fields

edit

These fields must be mapped to display network data in the SIEM app:

  • @timestamp
  • destination.geo.location (required for displaying map data)
  • destination.ip
  • source.geo.location (required for displaying map data)
  • source.ip

These fields can be mapped to display additional network data in the SIEM app:

  • destination.as
  • destination.bytes
  • destination.domain
  • destination.geo.country_iso_code
  • source.as
  • source.bytes
  • source.domain
  • source.geo.country_iso_code

DNS query fields

edit

These fields must be mapped to display DNS data in the SIEM app:

  • dns.question.name
  • dns.question.registered_domain

This field can be mapped to display additional DNS data in the SIEM app:

  • dns.question.type

    If you want to be able to filter out PTR records, make sure relevant events populate the dns.question.type field with a value of PTR.

HTTP request fields

edit

These fields must be mapped to display HTTP request data in the SIEM app:

  • http.request.method
  • http.response.status_code
  • url.domain
  • url.path

TLS fields

edit

This field must be mapped to display TLS data in the SIEM app:

  • tls.server.hash.sha1

These fields can be mapped to display additional TLS data in the SIEM app:

  • tls.server.issuer
  • tls.server.ja3s
  • tls.server.not_after
  • tls.server.subject

Event and external alert fields

edit

These fields must be mapped to display event and external alert data in the SIEM app:

  • @timestamp

  • event.kind

    For external alerts, the event.kind field value must be alert.

These fields can be mapped to display additional event and external alert data in the SIEM app:

  • destination.bytes
  • destination.geo.city_name
  • destination.geo.continent_name
  • destination.geo.country_iso_code
  • destination.geo.country_name
  • destination.geo.region_iso_code
  • destination.geo.region_name
  • destination.ip
  • destination.packets
  • destination.port
  • dns.question.name
  • dns.question.type
  • dns.resolved_ip
  • dns.response_code
  • event.action
  • event.category
  • event.code
  • event.created
  • event.dataset
  • event.duration
  • event.end
  • event.hash
  • event.id
  • event.module
  • event.original
  • event.outcome
  • event.provider
  • event.risk_score_norm
  • event.risk_score
  • event.severity
  • event.start
  • event.timezone
  • event.type
  • file.ctime
  • file.device
  • file.extension
  • file.gid
  • file.group
  • file.inode
  • file.mode
  • file.mtime
  • file.name
  • file.owner
  • file.path
  • file.size
  • file.target_path
  • file.type
  • file.uid
  • host.id
  • host.ip
  • http.request.body.bytes
  • http.request.body.content
  • http.request.method
  • http.request.referrer
  • http.response.body.bytes
  • http.response.body.content
  • http.response.status_code
  • http.version
  • message
  • network.bytes
  • network.community_id
  • network.direction
  • network.packets
  • network.protocol
  • network.transport
  • pe.original_file_name
  • process.args
  • process.executable
  • process.hash.md5
  • process.hash.sha1
  • process.hash.sha256
  • process.name
  • process.parent.executable
  • process.parent.name
  • process.pid
  • process.ppid
  • process.title
  • process.working_directory
  • rule.reference
  • source.bytes
  • source.geo.city_name
  • source.geo.continent_name
  • source.geo.country_iso_code
  • source.geo.country_name
  • source.geo.region_iso_code
  • source.geo.region_name
  • source.ip
  • source.packets
  • source.port
  • user.domain
  • user.name
« Create or update an external incident