Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added location and name field to observer. #557

Closed
wants to merge 2 commits into from
Closed

Added location and name field to observer. #557

wants to merge 2 commits into from

Conversation

mbudge
Copy link
Contributor

@mbudge mbudge commented Sep 11, 2019

Web proxies can block traffic in the same way as an Intrusion Prevention System which is listed as a type of Observer. Added a location and name field so observer can also store fields use to describe web proxy appliances found in web proxy logs.

@mbudge
Added location and name field.
ba87ee7 
Web proxies can block traffic in the same way as an IPS. Added a location and name field so observer can hold these fields which are found in web proxy logs.
@mbudge mbudge changed the title Added location and name field. Added location and name field to observer. Sep 11, 2019
@MikePaquette MikePaquette self-requested a review September 12, 2019 01:12
@MikePaquette
Copy link
Contributor

MikePaquette commented Sep 12, 2019
edited
Loading

@mbudge Indeed a proxy would be considered an observer in ECS. In fact, it is listed as one of the examples for the observer.type field in the ECS observer docs.

Please note that the geo.* fields maybe nested below observer.* providing you with multiple fields to store the location-related information regarding an observer. For example:
observer.geo.city_name, observer.geo.continent_name, observer.geo.country_iso_code, observer.geo.country_name observer.geo.location, observer.geo.name, observer.geo.region_iso_code, and observer.geo.region_name.

In addition, ECS specifies observer.vendor and observer.version and observer.os.nameandobserver.os.version`.

For example: you might have: observer.vendor:"symantec", observer.version:"s200", observer.os.name:"proxysg", and observer.geo.name:"3rd_floor_mdf".

So I think we already have enough observer fields to capture this information, so I don't think we should proceed with your proposed observer.location and observer.name.

Thanks!

@mbudge
Copy link
Contributor Author

mbudge commented Sep 12, 2019

Hi,

Didn't see the observer.os.location so we'll use that.

Not sure about observer.os.name for the appliance name, as we want to store the appliances custom name used to identify the appliance. This is similar to the agent.name field but for appliances instead of an agent.

There could be several if there are multiple web proxies on the network.
1_proxysg
2_proxysg
3_proxysg

Thanks!

@MikePaquette
Copy link
Contributor

@mbudge Good point about the actual name of the observer in addition to its location. Also, I think my above use of observer.os.name was not correct. In fact, I think we are missing another field like observer.product. What do you think of the following improved mapping examples?

  • observer.type:"proxy"
  • observer.name:"1_proxysg" (this is the new field that you are suggesting)
  • observer.vendor:"symantec"
  • observer.product:"s200" (this is another new field - could also be observer.model)
  • observer.os.name:"sgos"
  • observer.os.version:"7.1"
  • observer.geo.name:"3rd_floor_mdf"

and another:

  • observer.type:"firewall"
  • observer.name:"gateway_firewall_1a"
  • observer.vendor:"palo alto"
  • observer.product:"pa5060"
  • observer.os.name:"panos"
  • observer.os.version:"9.1"
  • observer.geo.name:"3rd_floor_mdf"

If you agree that these are good mappings, then if you would modify this PR to include only the observer.name and observer.product additions, then I will be happy to review.

Thanks for your active contributions!

@mbudge
Added product and name field
00106fb 
The product field is for the observer product name. The name field is for the observers custom name.
@mbudge
Copy link
Contributor Author

mbudge commented Sep 12, 2019

Agreed those fields would be a great addition.

webmat
webmat suggested changes Sep 23, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for sending this over, this looks good! It will make the observer field set that much more aligned with agent :-)

I have a few small requests before we merge this in, please:

  • Add a changelog entry to CHANGELOG.next.md
  • Adjust the descriptions for .name and .product as described in the comments below
  • Add the corresponding example to .vendor, so we have "Symantec s200" broken out to their appropriate fields, in their respective examples

Thanks again!

schemas/observer.yml
level: core
type: keyword
description: >
Name of the observer.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please flesh out this description a little more, to make it clear that this is meant to be user-configured.

For inspiration, here's two other places in ECS where we have .name meant to be a user-customizable value: agent.name and host.name

schemas/observer.yml
level: core
type: keyword
description: >
The observers product name.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency's sake with the other field definitions, please use

Suggested change
The observers product name.
The product name of the observer.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another request, since we're going with @MikePaquette's s200 example, could you also add a corresponding example to the "vendor" field, with value "Symantec", please?

ruflin
ruflin reviewed Sep 24, 2019
View reviewed changes
schemas/observer.yml
@@ -31,6 +31,18 @@
type: keyword
description: >
Hostname of the observer.
- name: name
level: core
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we make these fields extended for now? Easy to move it to core later but not sure about the other way around.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 for level: extended for these new additions

MikePaquette
MikePaquette approved these changes Sep 24, 2019
View reviewed changes
schemas/observer.yml
@@ -31,6 +31,18 @@
type: keyword
description: >
Hostname of the observer.
- name: name
level: core
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 for level: extended for these new additions

webmat pushed a commit to webmat/ecs that referenced this pull request Oct 1, 2019
Apply PR elastic#557 feedback
3b80fb0
webmat pushed a commit to webmat/ecs that referenced this pull request Oct 1, 2019
Apply PR elastic#557 feedback
40ef9f6
@webmat webmat mentioned this pull request Oct 1, 2019
Merged
@webmat webmat closed this in #571 Oct 3, 2019
webmat pushed a commit that referenced this pull request Oct 3, 2019
Add observer.name and observer.product (#571, #557)
204d4de
@webmat webmat mentioned this pull request Oct 3, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruflin ruflin ruflin left review comments

@webmat webmat webmat requested changes

@MikePaquette MikePaquette MikePaquette approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mbudge @MikePaquette @webmat @ruflin