jamiehynds
commented
1 year ago @ebeahan should this proposal be folded into Sourin's RFC or could we add event.kind: asset outside of an RFC?
Open taylor-swanson opened 1 year ago
jamiehynds
commented
1 year ago @ebeahan should this proposal be folded into Sourin's RFC or could we add event.kind: asset outside of an RFC?
ebeahan
commented
1 year ago RFC 0038 is already at stage 2 and event.kind: asset was added in https://github.com/elastic/ecs/pull/2191. I think it's okay to continue them independently.
Summary
This change proposes extending
event.kindwith an additional allowed value,asset.Motivation
For the Entity Analytics project, we are looking to identify user, host, and other types of entity assets. The current allowed values for
event.kinddon't have a good value to represent these type of documents.Detailed Design
Mike Paquette wrote up a great proposal for the docs for this new value, which I think captures what we want to accomplish here.
event.kind: assetThis value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects that are expected to be subjects of detailed analysis within the system.
Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider API’s.
event.kind:asset is not used for normal system events or logs that are coming from an asset/entity, nor is it used for system events or logs coming from a directory or CMDB system.
By contrast,
event.kind: enrichmentis used to indicate events whose primary purpose is to enrich other objects represented within the system. For example, threat indicators (IOC’s) and Geo IP information are used primarily for enrichment, and therefore would be indicated byevent.kind:enrichmentcc @SourinPaul @MikePaquette