- Stage: 2 (Candidate)
- Date: 2023-03-31
This RFC proposes extending the list of allowed values for event.kind with an additional value, asset.
We want to represent a catalog of assets where each document represents some type of user or device entity. The event.kind field with asset value will be used to identity these types of documents. It has also been proposed that we combine this with other fields to have a more exact definition. For example, a user document may have these event fields specified:
event.kind: assetevent.category: [iam]event.type: [user, info]
An example of a user entity document, with event.kind: asset:
{
"input": {
"type": "entity-analytics"
},
"@timestamp": "2023-02-23T20:03:17.489Z",
"event": {
"agent_id_status": "verified",
"ingested": "2023-02-23T20:03:18Z",
"provider": "Azure AD",
"kind": "asset",
"action": "user-discovered",
"category": [
"iam"
],
"type": [
"user",
"info"
],
"dataset": "entityanalytics_azure.users"
},
"user": {
"full_name": "Test User",
"phone": [
"1235559999"
],
"name": [
"[email protected]"
],
"id": "b3e92fd4-0269-49ae-8a26-812e952bb7ad",
"email": "[email protected]"
},
"labels": {
"identity_source": "entity-analytics-entityanalytics_azure.users-c1745610-d9a4-437f-a8f8-82ab45ace54a"
}
}We expect to use the asset value within the security solution consistently across asset management, external asset integrations, and persisting related metadata. This field may be further leveraged in o11y topology work as they also are exploring ways to extend the asset.* fields within ECS.
There are no breaking changes identified. There are no other concerns to note at this time.
The following are the people that consulted on the contents of this RFC.
- @taylor-swanson | author
- @SourinPaul | sponsor
- @MikePaquette | sponsor
- Stage 0-2: #2178