Addition of related.mac and related.port #2288
Conversation
|
💚 CLA has been signed |
|
The contributor license agreement on https://www.elastic.co/contributor-agreement has been signed. |
|
@hisecu would you please provide some additional details in the description about the proposed changes and how'd the changes would benefit ECS? |
|
@ebeahan thanks for your feedback, is that here in the comments or elsewhere? |
In the PR description is fine. |
@ebeahan I edited the description above, is it ok like this? |
|
This PR is stale because it has been open for 60 days with no activity. |
| before they populate this array. For this, The notation format from RFC 7042 is suggested: | ||
| Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving | ||
| the value of the octet as an unsigned integer. Successive octets are separated by a | ||
| hyphen. |
There was a problem hiding this comment.
I think an example would be useful here.
| short: All the mac addresses seen on your event. | ||
| description: > | ||
| All the mac addresses seen on your event. The mac addresses should be standardized | ||
| before they populate this array. For this, The notation format from RFC 7042 is suggested: |
There was a problem hiding this comment.
typo in uppercase ..., The notation...
|
This PR is stale because it has been open for 60 days with no activity. |
At Leiden University we already use the related.port field, and internally there is a demand for
related.mac, which is even more important, and which is flagged as a "must have" by an end user.
In general, the aggregation of related values makes searches far easier for end users.
They do not need to know about all the field names that may contain a port number or a
MAC address, or all the various formats of MAC addresses that are possible.
The reason why related.mac is more important is, that a MAC address has many different
formats in ingest like log entries. Examples are colon-separated hex values like
FF:FF:FF:FF:FF:FF and ff:ff:ff:ff:ff:ff, flat formats like FFFFFFFFFFFF and ffffffffffff,
hyphen-separated values like FF-FF-FF-FF-FF-FF and ff-ff-ff-ff-ff-ff, and dot separated
values like FFFF.FFFF.FFFF and ffff.ffff.ffff. In fact, space separated and
IPv6 Modified EUI-64 are also possible. For the end user, it is difficult to work with this.
If all MAC addresses of all key names are aggregated in related.mac with a canonical format,
which is know to the end user, the search will be very easy.
A fictional example: There is new worm named BogusWorm that uses port 16511/tcp and which
offers a remote exploit to an attacker. It is not known yet whether this port is only used
for incoming traffic or for outgoing traffic as well. There are 30 different candidate
fields that may contain the port number. It makes it easy to be able to simply use a KQL
query like related.port : 16511
It would not surprise me, if the aggregation of even more fields/values would be useful,
our current request is limited to related.port and related.mac
make test?makeand committed those changes?