Beats: [Elastic Agent] Should add event.dataset to the logs and metric collected by the agent

Created on 16 Jul 2020  路  11Comments  路  Source: elastic/beats

Should we add the event.dataset in the logs collected by the elastic agent, this might be an issue with all the integrations.
We already have this information in the dataset.name so we could just copy it over.

This seems to affect the siem app and the ml app.

Ingest Management bug
Source
picture ph

All 11 comments

Pinging @elastic/ingest-management (Team:Ingest Management)

elasticmachine picture elasticmachine on 16 Jul 2020

@bradenlpreston @crowens is this something you were following up on too?

EricDavisX picture EricDavisX on 16 Jul 2020

@james-elastic and/or @jonathan-buttner are going to look at this I think.

crowens picture crowens on 16 Jul 2020

Thanks we'll look into this

james-elastic picture james-elastic on 16 Jul 2020

are there other data fields we'd need to add? Just mentioning, I expect its not just the one. And thanks PH for logging it. :)

EricDavisX picture EricDavisX on 17 Jul 2020

@james-elastic @crowens @EricDavisX is the issue here that the event.dataset field is not present in the documents in elastic search that are sent by the endpoint?

jonathan-buttner picture jonathan-buttner on 20 Jul 2020

@webmat Is there any other field than event.dataset that solutions UI depends?

ph picture ph on 20 Jul 2020

@ph This is a question that should be asked of the solutions.

The Security app's field requirements are detailed at length here https://www.elastic.co/guide/en/siem/guide/current/siem-field-reference.html

Log UI's field requirements are detailed here https://www.elastic.co/guide/en/logs/guide/current/logs-fields-reference.html

If you're thinking of another solution I suggest reaching out to them, to find their own list of fields they care about :-)

webmat picture webmat on 22 Jul 2020

@webmat do you think that public doc is updated and current with the additive needs that the 'Endpoint' half of the Security app will need? I'm not aware of that doc, and I'm in much of the Security side discussion so it seems a fair question as to who was involved and when it was updated, etc. Thanks for the convo - we can move it out of this closed issue if better?

EricDavisX picture EricDavisX on 22 Jul 2020

Happy to follow the discussion wherever is most appropriate, if you feel the need to move it. I was just answering PH, so I'm good :-)

This was developed by the SIEM team, prior to the merge with Endpoint indeed. I know this doc page was very frequently requested, and its creation was celebrated. So I assume it's pretty up to date wrt what the Security app in Kibana consumes.

But whether this takes into account other related areas like Endpoint and the detection engine is a great question to ask the overall security team. I'm not sure what their plans are, whether there's another doc page, or if this one should be updated.

webmat picture webmat on 22 Jul 2020
👍1

Thanks @webmat I didn't know about theses docs.

ph picture ph on 22 Jul 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JalehD picture JalehD  路  3Comments
nicpenning picture nicpenning  路  3Comments
ppf2 picture ppf2  路  3Comments
pigletfly picture pigletfly  路  3Comments
MorrieAtElastic picture MorrieAtElastic  路  3Comments