New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add audit fileset to googlecloud module #15200
Conversation
Pinging @elastic/siem (Team:SIEM) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Up until ECS 1.3, event.type
was reserved and should not have been used.
With ECS 1.4 we've started introducing the first allowed values for the 4 ECS categorization fields, event.type is one of them. If none of the values currently allowed per this new documentation section are fitting for this event source, the fields should be left empty for now.
Other than event.type
, this LGTM though.
I can leave these two fields empty: event.category and event.type. However, currently for the googlecloud module, vpcflow fileset uses the following:
And firewall fileset uses:
So the audit fileset sets these fields to be somehow consistent. |
@alakahakai Every time I've one of the reserved fields being used, I've warned that it would have to change eventually, and that the fields shouldn't be used. Many times this was ignored 🤷♂ If you leave it like this, you're setting yourself up to have to change this module as well, in the 7.x line. |
@webmat I will not set these two fields for now. Thanks. |
Add audit fileset to googlecloud module to support GCP audit log.