-
Notifications
You must be signed in to change notification settings - Fork 420
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parity with Elastic Endpoint #647
Comments
Thanks for opening this, Ross! With yesterday's 1.3 release, parent process details can be captured on the event, at ECS issues to open
Questions Here's a few points or questions wrt to the rest of what I see:
|
@webmat , @rw-access here's the unique pid discussion issue: #672 |
And Ross opened the registry discussion at #671 |
I'm looking at the body of the issue and I'm wondering why DNS is there. Could you open an issue stating specifically what's missing from your POV, from the current DNS field set? |
Oh sorry, I think DNS is good. I was just being verbose and linked to existing issues. |
As part of the EQL integration within Elasticsearch (elastic/elasticsearch#49581), it's important that we have maximum interoperability so that queries can run on the endpoint or on Elasticsearch, and this requires the schemas to be shared between them. There is still a significant delta, so we've been using the
endgame.*
namespace in the interim for anything unmapped to ECS. Hopefully, this can serve as a meta issue and I'll try to track endpoint-specific mappings from here:Related Issues
Endgame mappings
Within our EQL analytics library, we have several fields that are mapped. I bolded the ones that are used in analytics within the repo, and checked off when mapped to ECS.
process.command_line
andprocess.args
destination.address
destination.port
file.name
file.path
host.hostname
process.parent.name
(as of ECS 1.3.0)process.parent.executable
(as of ECS 1.3.0)process.pid
process.ppid
process.name
process.executable
network.transport
source.address
source.port
network.bytes
userthis is just a more "qualified" domain + name combo (e.g.NT AUTHORITY\SYSTEM
)user.domain
user.name
user.id
Categorization
We also have a concept of
enums
for subtypes, which is really just a list of accepted values for a given field. This will add a layer of standardization when we standardize values for ECS, which is going to be very necessary if users expect to share across data sources.Some of the values we've enumerated, which often map to Endgame's
event_subtype_full
oropcode
fields. These all require solving categorization and enumerated values for event.category, event.type and event.action:The text was updated successfully, but these errors were encountered: