Open gimmic opened 4 years ago
dainperkins
commented
4 years ago @gimmic log origin type can be specified in event.module, event.data_set, as well as observer fields.
From a multi-tenancy standpoint, personally I would likely opt for an index (or set of indexes) per client, for ease of RBAC implementation and management, tho I would likely still include organization fields (id, name) as well to differentiate logistically.
Will those fields fit the bill?
Thanks /d
gimmic
commented
4 years ago I overlooked observer.name. This actually looks good, but for utility may be best stored as a keyword & text so we could do partial matches. We do store into different indexes, but for cross-cluster searches identifying origin of an event by index is a little kludgy.
For MSSP type environment, you could set:
observer.name: orga_zeek (orga_palo_traffic, orga_palo_threat, orgb_asa, orgb_dns)
observer.product: zeek
etc.
dainperkins
commented
4 years ago @gimmic - Sorry - I meant to type organization not observer (tho you could do it in observer too)
https://www.elastic.co/guide/en/ecs/current/ecs-organization.html
In a multi tenant type source environment, I have two discrete values to log with each event:
On review of ECS schema I have not found perfect fits for these values. In an attempt to keep within schema as much as possible, it seems like relevant organization. fields or event. would be most appropriate.
My suggestion would be to include something along the lines of
or
Today we use a non-compliant "log_source" field. I do think it would be ideal to keep event origin details in one general area; either as a set of organization labels or as event category labels.