Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add network category and related types #761

Merged
merged 6 commits into from
Mar 4, 2020
Merged

Add network category and related types #761

merged 6 commits into from
Mar 4, 2020

Conversation

MikePaquette
Copy link
Contributor

@MikePaquette MikePaquette commented Feb 24, 2020
edited
Loading

This PR adds a new value of event.category:"network" and the corresponding values of event.type to be able to represent all network events and metrics in ECS.

  • event.category:"network"
  • event.type:"allowed"
  • event.type:"denied"
  • event.type:"connection"
  • event.type:"protocol"

@dainperkins
Copy link
Contributor

Are we putting flow to be under connection? Or would that be dependent on event.kind?

@webmat
Copy link
Contributor

webmat commented Feb 25, 2020

I think we should add "allowed" and "denied" to category "authentication" as well. WDYT?

@dainperkins
Copy link
Contributor

authentication should be success, failure - allowed/denied is authorization (which iirc we are typically reporting on under the resource that access was attempted on - e.g. file access allowed / denied)

@MikePaquette
Copy link
Contributor Author

@dainperkins re:

Are we putting flow to be under connection? Or would that be dependent on event.kind?

Not sure what you mean by "flow" in that question, but indeed anything that would be included in flow analysis would have event.type:connection

webmat
webmat reviewed Mar 2, 2020
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small formatting change required. Otherwise I think we're good!

schemas/event.yml Outdated
description: >
The denied event type is used for the subset of events within a category that
indicate that something was denied. Common examples include
`event.category:”network” AND event.type:denied` (to indicate a network
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make sure to always use straight quotes, not the fancy ones Google Docs and the others use.

Suggested change
`event.category:network AND event.type:denied` (to indicate a network
`event.category:"network" AND event.type:denied` (to indicate a network

dainperkins
dainperkins approved these changes Mar 2, 2020
View reviewed changes
Copy link
Contributor

@dainperkins dainperkins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me

dcode
dcode suggested changes Mar 2, 2020
View reviewed changes
Copy link
Contributor

@dcode dcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to tweak the formatting but the content otherwise looks good.

andrewkroh
andrewkroh approved these changes Mar 2, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just some minor comments (on the wrong/generated file).

@MikePaquette MikePaquette self-assigned this Mar 3, 2020
@MikePaquette MikePaquette requested a review from dcode March 3, 2020 13:58
@webmat webmat merged commit 6ca4da1 into elastic:master Mar 4, 2020
dcode pushed a commit to dcode/ecs that referenced this pull request Apr 15, 2020
@MikePaquette @dcode
Add network category and related event types (elastic#761)
2718f1e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

@dainperkins dainperkins dainperkins approved these changes

@dcode dcode Awaiting requested review from dcode

Assignees

@MikePaquette MikePaquette

Labels
1.5.0 categorization
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@MikePaquette @dainperkins @webmat @dcode @andrewkroh