[Event Log] Extend ECS event schema with fields needed for Detection Engine #95067
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,13 +6,23 @@ actitivies. | |
| ## Overview | ||
|
|
||
| This plugin provides a persistent log of "events" that can be used by other | ||
| plugins to record their processing, for later accces. It is used by: | ||
|
|
||
| - `alerting` and `actions` plugins | ||
| - [work in progress] `security_solution` (detection rules execution log) | ||
|
|
||
| The "events" are [ECS documents](https://www.elastic.co/guide/en/ecs/current/index.html) | ||
| containing both standard ECS fields and some custom fields for Kibana. | ||
|
|
||
| - Standard fields are those which are defined in the ECS specification. | ||
| Examples: `@timestamp`, `message`, `event.provider`. The number of ECS fields | ||
| supported in Event Log is limited today, but can be extended fairly easily. | ||
| We are being conservative in adding new fields though, to help prevent | ||
| indexing explosions. | ||
| - Custom fields are not part of the ECS spec. We defined a top-level `kibana` | ||
| field set where we have some Kibana-specific fields like `kibana.server_uuid` | ||
| and `kibana.saved_objects`. Plugins added a few custom fields as well, | ||
| for example `kibana.alerting` field set. | ||
|
|
||
| A client API is available for other plugins to: | ||
|
|
||
|
|
@@ -47,16 +57,25 @@ The structure of the event documents can be seen in the | |
| generated via a script when the structure changes. See the | ||
| [README.md](generated/README.md) for how to change the document structure. | ||
|
|
||
| Below is a document in the expected structure, with descriptions of the fields: | ||
|
|
||
| ```js | ||
| { | ||
| // Base ECS fields. | ||
| // https://www.elastic.co/guide/en/ecs/current/ecs-base.html | ||
| "@timestamp": "ISO date", | ||
| tags: ["tags", "here"], | ||
| message: "message for humans here", | ||
|
|
||
| // ECS version. This is set by the Event Log and should not be specified | ||
| // by a client of Event Log. | ||
| // https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html | ||
| ecs: { | ||
| version: "version of ECS used by the event log", | ||
| }, | ||
|
|
||
| // Event fields. All of them are supported. | ||
| // https://www.elastic.co/guide/en/ecs/current/ecs-event.html | ||
| event: { | ||
| provider: "see below", | ||
| action: "see below", | ||
|
|
@@ -65,19 +84,44 @@ Below is an document in the expected structure, with descriptions of the fields: | |
| end: "ISO date of end time for events that capture a duration", | ||
| outcome: "success | failure, for events that indicate an outcome", | ||
| reason: "additional detail on failure outcome", | ||
| // etc | ||
| }, | ||
|
|
||
| // Error fields. All of them are supported. | ||
| // https://www.elastic.co/guide/en/ecs/current/ecs-error.html | ||
| error: { | ||
| message: "an error message, usually associated with outcome: failure", | ||
| // etc | ||
| }, | ||
|
|
||
| // Log fields. Only a subset is supported. | ||
| // https://www.elastic.co/guide/en/ecs/current/ecs-log.html | ||
| log: { | ||
| level: "info | warning | any log level keyword you need", | ||
| logger: "name of the logger", | ||
| }, | ||
|
|
||
| // Rule fields. All of them are supported. | ||
| // https://www.elastic.co/guide/en/ecs/current/ecs-rule.html | ||
| rule: { | ||
| author: ["Elastic"], | ||
| id: "a823fd56-5467-4727-acb1-66809737d943", | ||
|
There was a problem hiding this comment. This reminded me of recent
There was a problem hiding this comment. @spong Thank you for pointing to this problem 👍 ECS has a standard I'll need to figure this out - which fields to use for rule ids :) |
||
| // etc | ||
| }, | ||
|
|
||
| // User fields. Only user.name is supported. | ||
| // https://www.elastic.co/guide/en/ecs/current/ecs-user.html | ||
| user: { | ||
| name: "name of Kibana user", | ||
| }, | ||
|
|
||
| // Custom fields that are not part of ECS. | ||
| kibana: { | ||
| server_uuid: "UUID of kibana server, for diagnosing multi-Kibana scenarios", | ||
| alerting: { | ||
| instance_id: "alert instance id, for relevant documents", | ||
| action_group_id: "alert action group, for relevant documents", | ||
| action_subgroup: "alert action subgroup, for relevant documents", | ||
|
|
||
| status: "overall alert status, after alert execution", | ||
| }, | ||
| saved_objects: [ | ||
|
|
@@ -363,3 +407,14 @@ yarn test:jest x-pack/plugins/event_log --watch | |
|
|
||
| See: [`x-pack/test/plugin_api_integration/test_suites/event_log`](https://github.com/elastic/kibana/tree/master/x-pack/test/plugin_api_integration/test_suites/event_log). | ||
|
|
||
| To develop integration tests, first start the test server from the root of the repo: | ||
|
|
||
|
|
||
| ```sh | ||
| node scripts/functional_tests_server --config x-pack/test/plugin_api_integration/config.ts | ||
| ``` | ||
|
|
||
| Then start the test runner: | ||
|
|
||
| ```sh | ||
| node scripts/functional_test_runner --config x-pack/test/plugin_api_integration/config.ts --include x-pack/test/plugin_api_integration/test_suites/event_log/index.ts | ||
| ``` | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,11 +1,26 @@ | ||
| # Generating event schema | ||
|
|
||
| The files in this directory were generated by manually running the script | ||
| `../scripts/create-schemas.js` from the root directory of the repository. | ||
|
|
||
| **These files should not be edited by hand.** | ||
|
|
||
| Please follow the following steps: | ||
|
|
||
| 1. Clone the [ECS](https://github.com/elastic/ecs) repo locally so that it | ||
| resides along side your kibana repo, and checkout the ECS version you wish to | ||
| support (for example, the `1.8` branch, for version 1.8). | ||
|
|
||
| 2. In the `x-pack/plugins/event_log/scripts/mappings.js` file you'll want to | ||
| make the following changes: | ||
| - Update `EcsCustomPropertyMappings` to include the mapping of the custom | ||
| fields you wish to add. | ||
| - Update `EcsPropertiesToGenerate` to include the fields in the generated | ||
| `mappings.json`. | ||
| - Make sure to list all array fields in `EcsEventLogMultiValuedProperties`. | ||
|
|
||
| 3. Cd to the `kibana` root folder and run: | ||
|
|
||
| ```sh | ||
| node ./x-pack/plugins/event_log/scripts/create_schemas.js | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice, thx for the links!