Comments (7)
MikePaquette
commented on June 2, 2024
@ruflin ECS how would this composition be implemented? My first reaction is that the composition strings are actually additional things to remember, and might make ECS harder to understand.
from ecs.
ruflin
commented on June 2, 2024
We already do a bit of composition at the moment for example in source.* and destination.* and use the host fields. From an "implementation" perspective using composition could be as simple as defining the following in yaml:
- name: source
composed_of: geo, host
Then the generator would do all the magic.
My bigger concern is how we make that understandable and visible to the user. This is where I think the reusing of objects becomes nice. We can mention where we recommend to use the host object but we don't have to repeat all the fields every time. And users adding non ECS fields on the top level can inside still reuse for example host.
from ecs.
webmat
commented on June 2, 2024
I would go for simplicity and have the reused objects present and visible, so I would not go for composition, personally.
from ecs.
ruflin
commented on June 2, 2024
If we make ip also a top level field like message, would this solve the issue of having too many nesting? This means for the above it could be c.ip or c.host.ip, meaning host.ip is just reusing the field.
from ecs.
vbohata
commented on June 2, 2024
I think composing to c.ip, ... could lead to a lower number of reusable objects. Yes, for this use case it is clear and for the first point of view nice but I vote for the longer names. Everyone can see here from which parts it is composed from.
from ecs.
vbohata
commented on June 2, 2024
New example. For some logs from the switch I have following fields:
- source.host.mac
- client.host.mac
- switch.port.number
Where source.host.mac is the source mac of the traffic, client.host.mac is mac stored in switch, switch.port.number is port of the switch.
So by assigning ip, mac, port, ... under host, it is clear these values are related to the host interface which initialised the connection, switch.port.* is related to physical port of switch (e.g. switch.port.number, switch.port.link_status). So "port" can not be top level field because once it has numeric value (host usage), once it is object.
Also switch itself can have management IP, so if someone would need to mix it to one event, there would be switch.host.ip, switch.host.port, switch.port ...
from ecs.
ruflin
commented on June 2, 2024
Based on the decision that we have reusable objects like os we are reusing some of the objects and define the ones that can be reused. Closing.
from ecs.
Related Issues (20)
- new field set: for log documents themselves
- Clarify the type of container disk and network metrics HOT 1
- ECS Vulnerability Published field
- Add threat.indicator.tags field
- [Proposal] Make event.kind a list HOT 3
- Incorrect generated/beats/fields.ecs.yml, not accounting on top_level: false HOT 1
- [ECS] Addition - http.request.header.bytes & http.response.header.bytes HOT 2
- Add lowercase normaliser to ECS fields which support security incident response process
- Mark experimental fields as `beta` in generated files
- Elastic-Agent Integrations Use of Legacy Mapping Types Impacts .fleet_globals & prevents agents from being upgraded
- Add `related.url` field
- Add event.zone and event.environment fields
- Addition of additional allowed values for event.type
- Support cloud events in schema HOT 1
- Better abstraction of the type event.kind: alert
- ECS can no longer map all components out of the box HOT 13
- Define a standard way to identify prevention and detection security alerts HOT 5
- Support multi-key fields from SemConv HOT 5
- Allow risk object to be nested under network.
- Add a multi-field user.id.text to the user.id field.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecs.