[RFC] Extend event.kind allowed values with asset #2178
Conversation
|
@SourinPaul or @MikePaquette, feel free to add any links or other notes that should be added to the RFC. (If you want, just comment and I'll add it to the markdown document). |
rfcs/text/0038-event-kind-asset.md
Outdated
| # 0038: Extend event.kind allowed values with asset | ||
| <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. --> | ||
|
|
||
| - Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html --> |
There was a problem hiding this comment.
Since the scope of this change is small and the proposal is already well detailed, I propose we target stage 2 initially instead of stage 0.
By moving to stage 2, event.kind: asset will be added into ECS but as a beta allowed value. We'll still have some flexibility to make adjustments if necessary.
@taylor-swanson if you agree with targeting to stage 2, can you capture any necessary detail in the Scope of impact and Concerns?
There was a problem hiding this comment.
@ebeahan, That seems to be reasonable to me.
@SourinPaul, do we have anything specific to call out here for Scope of Impact or Concerns? I can add them to the PR once we have them.
There was a problem hiding this comment.
cc @MikePaquette in case you have any additional input here (see my comment for Sourin immediately above).
There was a problem hiding this comment.
Scope of Impact:
We expect to consistently use the asset value within the security solution across asset management, external asset integration, and persisting related metadata. This field may be further leveraged in o11y topology work as they also are exploring ways to extend the asset.* fields within ECS.
Concerns:
There are no breaking changes identified. I do not have any concerns to document at this time.
@taylor-swanson, please let me know if I can elaborate anything further. Thanks for driving this.
There was a problem hiding this comment.
Thanks, @SourinPaul, I think this looks good.
I think this could wait to Stage 3 as Eric mentioned, but to add to his comment below, should we include verbiage in description for asset to say something on the lines of:
This value is used by Elastic Security for asset management solutions.
Usage of this value is reserved, and data ingestion pipelines must not populate event.kind with the value "asset".
There was a problem hiding this comment.
data ingestion pipelines must not populate event.kind with the value "asset".
For event:kind: asset events, data pipelines (like the Azure AD user entity integration) will be populating this field, right?
There was a problem hiding this comment.
Oh good point. I think when I read that initially, I was thinking "anything not our pipeline". I'll remove this line in that case, just keeping that its intended use is with the security solution.
rfcs/text/0038/event.yml
Outdated
| - name: asset | ||
| description: > | ||
| This value indicates events whose primary purpose is to store an inventory of | ||
| assets/entities and their attributes. Assets/entities are objects that are |
There was a problem hiding this comment.
I think it should be clearer here about what objects fall under our definition of asset. Users and devices are implied from the examples later, but I think it's best our definition be explicit.
We can take it even further and clarify this value is reserved and to be used by features of the Elastic stack, like signal.
|
|
||
| ## Usage | ||
|
|
||
| We want to represent a catalog of assets where each document represents some type of user or device entity. The `event.kind` field with `asset` value will be used to identity these types of documents. It has also been proposed that we combine this with other fields to have a more exact definition. For example, a user document may have these event fields specified: |
There was a problem hiding this comment.
In the final (stage 3) version, it may be nice to have examples for other entities included here for completeness, like groups and devices, if those definitions are finalized at that point.
This RFC proposes extending
event.kindwith an additional allowed value,asset. For the Entity Analytics project, we are looking to identify user, host, and other types of entity assets.