Open andrewthad opened 3 years ago
From what I can see, this already exists but in another place:
I don't see mappings on either of the hyperlinked pages. Is there a more specific resource in that repository?
Not exactly the full mappings proposed in the original description, but there's an effort to include more real-world usage examples to the ECS documentation. Here are a couple:
The intent is to have both:
Summary
Canonical mappings for well-understood devices or systems should be part of the ECS documentation. This means devices with a stable and documented log format. For example: zeek, suricata, haproxy, palo alto firewalls, fortigate firewalls, iptables, standard SNMP mibs, windows event logs. This will make it easier for people to figure out how to apply ECS to their workload. Even a user of a device without a canonical mapping would benefit from looking at how a similar event (or an event from similar device) is mapped.
Motivation:
To my knowledge, there are several ways to figure out how to map logs and events to ECS:
ECS appears to been originally authored with firewalls front and center. There are even some examples of how to map these on the issue tracker, but some of them are slightly wrong or out of date. Events that aren't firewall events can be hard to figure out because there is less discussion about it.
Rather than being relegated to the issue tracker, this information should be part of the ECS documentation. That way, as new fields are added, old examples can be updated.
Detailed Design:
Only devices and software with documentation that provides names for fields should be considered. Without a vendor-supplied canonical name, it is difficult to refer to a field. Every mapping should include:
Implementation Plan
I have already developed several mappings that I am able to contribute if this proposal is accepted.