proposal for Event fields
See original GitHub issueI would like to propose two new event fields that I think would be useful
- event.level (keyword)
- event.sequence (long)
event.level is the human readable companion field to event.severity, essentially identical in use to log.level (which could be deprecated/removed in favor of event.level).
event.sequence is another integrity field (like event.hash) for event sources that emit events in sequence, to detect missing events and/or order events that may have time stamps based on receipt time rather than emit time (syslog over UDP comes to mind).
While I’m on the topic of the Event group, is event.id meant to be a unique id for for an instance of an event (such that two identical events would have different and unique event.id) or is it meant to handle the case where events have numeric or coded identifiers, e.g.:
%ASA-3-610001: NTP daemon interface interface_name : Packet denied from IP_address
might look something like the following in ECS 1.0
{
...
"message": "000045: %ASA-3-610001: NTP daemon interface interface_name : Packet denied from IP_address",
"event": {
"action": "denied",
"category": "firewall",
"id": "610001",
"severity": 3,
"level": "ERROR",
"sequence": 45,
"version": "1.0.0"
}
...
}
Issue Analytics
- State:
- Created 5 years ago
- Reactions:2
- Comments:14 (9 by maintainers)
Top GitHub Comments
For now I would start with only guidance on how to normalize
event.level
.I would also be very careful to not map words from one to another. I would rather add PG’s “panic” than map it to “emergency”.
I would hold off for now on assigning a numeric value. Here are two reasons that come to mind:
I’m thinking this mapping to numeric could very well be useful, but for now I would leave it out of the spec. Organizations are free to attempt this, see they derive value out of this normalization, and report back their findings.
Most up to date list, now including “panic”:
I think we should leave
event.severity
as a distinct value that is orthogonal to the use of the proposedevent.level
. I’m coming at this from a security perspective, where the severity may be ranked on a scale of 1 to 3 (in the case of Suricata/Snort alerts where 1 is the most severe) or 1 to 10 as a float with regards to something like CVSS vulnerability scores (where 10 is the most severe).I think
severity
in particular is likely a very use-case specific thing.