Add event.zone and event.environment fields

[mbudge]

We have beats/elastic-agent collecting log data from many different regional offices, cloud environment's and third-party services.

We do zone tagging to make it easier for security analysts/IT select the metrics/logs in a specific zone. During triage of security alerts this also helps analysts know which IT team is responsible for the host/service which caused the security alert.

zone: the network zone the event was collected from environment: the environment within the above network zone

zone can be a

country code like uk, us, ca, ky cloud name like gcp, azure, oci or aws for third-party services the zone is api or external

environment can be

prod production dev development non-prod test uat

Would the following fields be a good additions to ecs?

event.zone event.environment

Examples of event.zone

event.zone:ca event.zone:us event.zone:uk event.zone:gb event.zone:ir event.zone:sa event.zone:aws event.zone:gcp event.zone:oci event.zone:azure event.zone:api event.zone:external

examples of event.envrionment

event.environment:prod event.environment:non-prod event.environment:dev event.environment:test event.environment:uat

These fields would be set in the Fleet Policy settings.

[IanLee1521]

I personally like this idea, and came here looking for this same concept. Not entirely sure if event is the right top level, or if maybe something like network.zone might be better.

It might also be good to have say source.zone and destination.zone available for the zones involved in a network connection.

[mbudge]

Ah yes, ecs network is for both host and network events so network.zone and network.environment might be better.

[mbudge]

Another contender is

network.environment network.zone network.geo.* so we add network.geo.country_name and network.geo.city_name