Add event.zone and event.environment fields #2306
Labels
enhancement
New feature or request
Comments
|
I personally like this idea, and came here looking for this same concept. Not entirely sure if It might also be good to have say |
|
Ah yes, ecs network is for both host and network events so network.zone and network.environment might be better. |
|
Another contender is network.environment |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have beats/elastic-agent collecting log data from many different regional offices, cloud environment's and third-party services.
We do zone tagging to make it easier for security analysts/IT select the metrics/logs in a specific zone. During triage of security alerts this also helps analysts know which IT team is responsible for the host/service which caused the security alert.
zone: the network zone the event was collected from
environment: the environment within the above network zone
zone can be a
country code like uk, us, ca, ky
cloud name like gcp, azure, oci or aws
for third-party services the zone is api or external
environment can be
prod
production
dev
development
non-prod
test
uat
Would the following fields be a good additions to ecs?
event.zone
event.environment
Examples of event.zone
event.zone:ca
event.zone:us
event.zone:uk
event.zone:gb
event.zone:ir
event.zone:sa
event.zone:aws
event.zone:gcp
event.zone:oci
event.zone:azure
event.zone:api
event.zone:external
examples of event.envrionment
event.environment:prod
event.environment:non-prod
event.environment:dev
event.environment:test
event.environment:uat
These fields would be set in the Fleet Policy settings.
The text was updated successfully, but these errors were encountered: