search

elastic / ecs

Elastic Common Schema
https://www.elastic.co/what-is/ecs
Apache License 2.0
1k stars 415 forks source link

event reason? #613

Closed enotspe closed 4 years ago

enotspe commented 4 years ago

Regarding

event.category / event.action / event.outcome

I think we also need event.reason

For example:

- event.category: user-management
- event.action: user-password-change
- event.outcome: failure
- event.reason: password policy violation
MikePaquette commented 4 years ago

@enotspe would the ECS message field be appropriate here?

d-almeida commented 4 years ago

I also have been adding event.reason as a keyword for terms aggregations in visualizations. The message field is meant to always be of type text and kibana doesn't yet support Significant Text aggregations https://github.com/elastic/kibana/issues/31614.

enotspe commented 4 years ago

@MikePaquette message seems to me that it is more detailed and extended (text). event.reason should be something shorter and categorizable (aggregatable).

scathatheworm commented 4 years ago

event.reason seems like a great addition.

I am currently processing data from at least these sources that provide a reason field of some kind:

In addition to that a lot of internal application logging ends up providing a reason for action taken.

At the time being I am using event.reason as a keyword plus a .text field for full text search on it, but it seems like a good candidate for getting an official sport in the ECS.

jamiehynds commented 4 years ago

We are in the process of adding event.reason to the schema. Another related discussion here.