Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Host with multiple ip addresses #724

Closed
willemdh opened this issue Jan 14, 2020 · 5 comments
Closed

Host with multiple ip addresses #724

willemdh opened this issue Jan 14, 2020 · 5 comments

Comments

@willemdh
Copy link
Contributor

Hello,

I was wondering how ecs handles host events with multiple ip and mac addresses?

Can host.ip and host.mac be an array?

Example event:

361 <46>1 2020-01-14T15:28:43.437000Z sysloghost CylancePROTECT - - - Event Type: Device, Event Name: SystemSecurity, Device Name: Nezfezf73, Agent Version: 2.1.1550.514, IP Address: (1.5.182.131, 1.2.18.182), MAC Address: (025331000101, 38C9330063A1), Logged On Users: (dzdrersy), OS: macOS High Sierra 10.13.6 x64 10.13.6, Zone Names: (Clients_iOS_Stage4)

Grtz

Willem
@webmat
Copy link
Contributor

webmat commented Jan 14, 2020
edited

Yes they should both be arrays. When you try the Beats with add_host_metadata, you'll see that this is how they're both being captured already.

ECS started out not specifying which field should be an array explicitly, because Elasticsearch is lenient on how it indexes arrays of scalars vs single scalars.

But recently the need to clearly define which field should be an array vs not has been mounting (e.g. upcoming ECS logging libraries).

Work has started on identifying this more clearly here #661, and I've been continuing the work in this branch (not yet a PR) https://github.com/webmat/ecs/commits/is-array-markers.

@willemdh
Copy link
Contributor Author

willemdh commented Jan 14, 2020
edited

Nice @webmat, seems you are on top of this. Closing this issue.

@willemdh
Copy link
Contributor Author

willemdh commented Jan 16, 2020
edited

@webmat Just wondering if you are planning to make user.name an array too?

For example:

Event Type: Device, Event Name: SystemSecurity, Device Name: SRVM01, Agent Version: 2.1.1550.17, IP Address: (1.2.2.12), MAC Address: (4C5288410010), Logged On Users: (DOMAIN\denedzdz, DOMAIN\verbeea), OS: Microsoft Windows Server 2016 Standard x64 10.0.14393, Zone Names: (Servers_Stage4)

As 2 users are detected on this system (i have similar logs with 5+ users)

  • DOMAIN\denedzdz
  • DOMAIN\verbeea

, do I put them both in user.name?

@webmat
Copy link
Contributor

webmat commented Jan 17, 2020

I wouldn't recommend that, no. user.* is meant to describe one user, not many.

Reporting on the quantity of logged in users should use custom fields, to capture exactly the semantics you need.

Then you can make them easy to find, along with other events where the users are the entities being reported on (and are therefore at user.name) by reliably filling related.user in all your events.

@willemdh
Copy link
Contributor Author

@webmat In the ideal situation I would need an array of nested objects, but as Kibana doesn't handle nested objects well, related.user is for now the 'best' solution. Not ideal though, as the usernames contain the domain too (DOMAIN\user) resulting in searches would have to accomodate for that..

I'm wondering what other datasets have similar issues and how they manage this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webmat @willemdh