Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Asset Integrations & Entity Store RFC - Stage 0 #2215
[RFC] Asset Integrations & Entity Store RFC - Stage 0 #2215
Changes from all commits
f5204be
5a4fe18
e517b25
3e3fa38
f2a55eb
78d514a
083f014
b93b58d
950e742
fd289d1
3708d12
14a6e0f
32148b9
7261b2f
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
0041: Asset Integration
This proposal extends the existing ECS field set to store inventory metadata for hosts and users from external application repositories. Using ECS to store such fields will improve metadata querying and retrieval across various use cases.
Terminologies: The
Entity Analytics
initiative within Security refers to hosts and users asentities
. Other generic security and observability use cases may refer to hosts/ users asassets
. Certain directory services or asset management applications use the term 'device' when referring to a host. In this RFC, I have simplified these terminologies tousers
andhosts
and these will represent all the neighboring terms.This proposal includes the following:
users
andos
objects.assets
.This proposal will also facilitate storing host and user inventory within the security solution (the entity store).
Fields
Proposed New Fields for User object
asset.id
value) assigned to the user. This field acts as a correlation identifier for the host event document.Proposed New Fields for Asset object
asset.owner
field should always be included.Nesting of existing risk.* fields under asset object
Proposed New Fields for os.* object
Usage
As part of Entity Analytics, we are ingesting metadata about Users and from various external vendor applications. We are storing all ingested metadata in Elasticsearch. After we map these fields to ECS, we will enrich these ingested events for risk-scoring scenarios (e.g., context enrichments) and detecting advanced analytics (UBA) use cases.
This schema will persist
Observed
(queried) entities from the ingested security log dataset in an Entity store. This entity store can be further extended to meet broader Asset Management needs.Additional enrichment use cases for existing prebuilt detection rules will leverage these ECS fields.
Source data
There are many sources of asset inventory repositories. In the mid-term, we are planning to ingest data from the following application providers:
User (Identity) repository sources:
Host repository sources:
Scope of impact
Ingestion mechanisms: Entity Analytics fleet integrations are the primary ingesting mechanism for this dataset.
Usage mechanism: Elastic Security solution (Entity Analytics & Threat Hunting workflows) will be the primary user of the proposed ECS fields and values.
Concerns
People
The following are the people that consulted on the contents of this RFC.
References
RFC Pull Requests