Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC] Data source categorization field values #954

Closed
wants to merge 6 commits into from
Closed

Conversation

jamiehynds
Copy link
Contributor

@jamiehynds jamiehynds commented Aug 26, 2020

0000: Data Source Categorization Fields

  • Stage: 0 (strawperson)
  • Date: August 26 2020

Elastic currently supports ingestion of data from 180+ sources, and growing. However, we do not have a coherent way to categorise these sources. This has resulted in a disconnect in how we categorize these sources from the Elastic website, in-product experiences and ECS.

The fieldset we use to describe the data source is up for discussion, data_stream.category is a possibility. Here are proposed allowed values:

  • apm
  • application
  • audit
  • CASB
  • cloud
  • collaboration
  • Config Management
  • containers
  • CRM
  • EDR
  • email
  • firewall
  • Identity and access management
  • IDS/IPS
  • Operating System
  • productivity
  • proxy
  • queue/message queue
  • security
  • storage
  • threat intelligence
  • ticketing
  • VPN
  • vulnerability scanner
  • Web server

Usage

Categorization fields in ECS can govern how we categorize these data source, but only a limited set of event.category values are supported by the schema today. The event categorisation fields are catered to individual events, but don't categorise the data source. Expanding the values we support, allows us to align the user experience from ECS, Ingest Manager and the Elastic Website (elastic.co/integrations). Some additional context here: #845 (comment).

These categories could also be used to categorise detection rules, to map data sources to corresponding rules. This would improve our onboarding experience by suggesting detection rules to users based on the sources they are ingesting data from.

People

The following are the people that consulted on the contents of this RFC.

References

#901
#845

RFC Pull Requests

@jamiehynds jamiehynds added the RFC label Aug 26, 2020
@ebeahan
Copy link
Member

ebeahan commented Aug 26, 2020

Thanks for opening @jamiehynds - the content looks good for stage 0! We'll need to adjust the commits and branching (git is always fun 😂 ) before we can merge.

It might be simplest to start fresh with a second PR which we copy/paste your contents from above into it. I'd put some steps together: https://gist.github.com/ebeahan/c479f03f3b84caf895f63b894fed1af9. All the steps are using the GitHub site. We can also run through the steps together some time as well.

@jamiehynds jamiehynds closed this Aug 27, 2020
@jamiehynds
Copy link
Contributor Author

Closing this one out, new PR here: #958

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants