forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathobserver.yml
128 lines (110 loc) · 4.07 KB
/
observer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
---
- name: observer
title: Observer
group: 2
short: Fields describing an entity observing the event from outside the host.
description: >
An observer is defined as a special network, security, or application device
used to detect, observe, or create network, security, or application-related events and metrics.
This could be a custom hardware appliance or a server that has been configured
to run special network, security, or application software.
Examples include firewalls, web proxies, intrusion detection/prevention systems,
network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers.
The observer.* fields shall be populated with details of the system, if any,
that detects, observes and/or creates a network, security, or application event or metric.
Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
type: group
fields:
- name: mac
level: core
type: keyword
description: >
MAC addresses of the observer
normalize:
- array
- name: ip
level: core
type: ip
description: >
IP addresses of the observer.
normalize:
- array
- name: hostname
level: core
type: keyword
description: >
Hostname of the observer.
- name: name
level: extended
type: keyword
short: Custom name of the observer.
description: >
Custom name of the observer.
This is a name that can be given to an observer. This can be helpful
for example if multiple firewalls of the same model are used in an
organization.
If no custom name is needed, the field can be left empty.
example: 1_proxySG
- name: product
level: extended
type: keyword
description: >
The product name of the observer.
example: s200
- name: vendor
level: core
type: keyword
description: >
Vendor name of the observer.
example: Symantec
- name: version
level: core
type: keyword
description: >
Observer version.
- name: serial_number
level: extended
type: keyword
description: >
Observer serial number.
- name: type
level: core
type: keyword
short: The type of the observer the data is coming from.
description: >
The type of the observer the data is coming from.
There is no predefined list of observer types. Some examples are
`forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
example: firewall
- name: ingress
level: extended
type: object
short: Object field for ingress information
description: >
Observer.ingress holds information like interface number and name, vlan, and zone information to
classify ingress traffic. Single armed monitoring such as a network sensor on a span port should
only use observer.ingress to categorize traffic.
- name: ingress.zone
level: extended
type: keyword
short: Observer ingress zone
example: DMZ
description: >
Network zone of incoming traffic as reported by the observer to categorize the source area of ingress
traffic. e.g. internal, External, DMZ, HR, Legal, etc.
- name: egress
level: extended
type: object
short: Object field for egress information
description: >
Observer.egress holds information like interface number and name, vlan, and zone information to
classify egress traffic. Single armed monitoring such as a network sensor on a span port should
only use observer.ingress to categorize traffic.
- name: egress.zone
level: extended
type: keyword
short: Observer Egress zone
example: Public_Internet
description: >
Network zone of outbound traffic as reported by the observer to categorize the destination area of egress
traffic, e.g. Internal, External, DMZ, HR, Legal, etc.