You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The definition of the Client & Server field sets are pretty extensive, whereas Source & Destination's definitions are pretty bare.
We've been encouraging people to populate source & destination as a baseline, and client & server only when relevant or helpful. Elastic Security mostly considers source & destination.
However the ECS documentation doesn't make that obvious. There's only a vague mention about prioritizing source/destination in the client/server definitions. No mention of this in source/destination.
Add mapping network event guidance doc #969 We could also consider having a standalone documentation page that talks about capturing network related events holistically. It could cover:
the src/dst baseline, and showcase when cli/srv are useful (e.g. DNS)
it could discuss populating the network.* fields
it could discuss how event.category:network + event.type:protocol should always come with network.protocol:[appropriate protocol name]. Most category/type pairs are complete on their own. But not the pair network/protocol; it should come with network.protocol.
The text was updated successfully, but these errors were encountered:
The definition of the Client & Server field sets are pretty extensive, whereas Source & Destination's definitions are pretty bare.
We've been encouraging people to populate source & destination as a baseline, and client & server only when relevant or helpful. Elastic Security mostly considers source & destination.
However the ECS documentation doesn't make that obvious. There's only a vague mention about prioritizing source/destination in the client/server definitions. No mention of this in source/destination.
network.*
fieldsevent.category:network
+event.type:protocol
should always come withnetwork.protocol:[appropriate protocol name]
. Most category/type pairs are complete on their own. But not the pair network/protocol; it should come withnetwork.protocol
.The text was updated successfully, but these errors were encountered: