From 6bb5ea3ddc16771d1636e7e60b5040bc3ace0d68 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Fri, 15 Jan 2021 15:00:25 -0600 Subject: [PATCH 01/10] initial outline --- docs/field-values-usage.asciidoc | 69 ++++++++++++++++++++++++++++++++ docs/field-values.asciidoc | 1 + 2 files changed, 70 insertions(+) create mode 100644 docs/field-values-usage.asciidoc diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc new file mode 100644 index 0000000000..d5ce858141 --- /dev/null +++ b/docs/field-values-usage.asciidoc @@ -0,0 +1,69 @@ +[[ecs-categorization-values-usage]] +=== Event Categorization Examples + +The following are examples use the four events categorization fields together. + +[float] +==== Firewall blocked a network connection + +[source,yaml] +---- +event: + kind: event + category: + - network + type: + - connection + - denied + outcome: + - success +---- + +[float] +==== Failed attempt to add user account + +[source,yaml] +---- +event: + kind: event + category: + - iam + type: + - user + - creation + outcome: + - failure +---- + +[float] +==== Gathering information about a file + +[source,yaml] +---- +event: + kind: event + category: + - iam + type: + - user + - creation + outcome: + - failure +---- + +[float] +=== Security application failed to block a network connection + +[source,yaml] +---- +event: + kind: alert + category: + - intrustion_detection + - network + type: + - connection + - denied + outcome: failure +---- + diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 2ff082fd3f..ca4679bab1 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -517,3 +517,4 @@ Indicates that this event describes a successful result. A common example is `ev Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated. +include::field-values-usage.asciidoc[] From 96c44dfc23a25e96e7c2011113904f173a3560a8 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 20 Jan 2021 15:26:25 -0600 Subject: [PATCH 02/10] update jinja template with categorization usage doc --- scripts/templates/field_values.j2 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/scripts/templates/field_values.j2 b/scripts/templates/field_values.j2 index 4789c00e09..71a65a6642 100644 --- a/scripts/templates/field_values.j2 +++ b/scripts/templates/field_values.j2 @@ -21,6 +21,13 @@ ECS defines four categorization fields for this purpose, each of which falls und NOTE: If your events don't match any of these categorization values, you should leave the fields empty. This will ensure you can start populating the fields once the appropriate categorization values are published, in a later release. + +[float] +[[ecs-category-usage]] +=== Categorization Usage + +<> contains examples combining the categorization fields to classify different types of events. + {% for field in fields %} [[ecs-allowed-values-{{ field['dashed_name'] }}]] === ECS Categorization Field: {{ field['flat_name'] }} @@ -45,3 +52,5 @@ once the appropriate categorization values are published, in a later release. {% endif %} {% endfor %} {%- endfor %} + +include::field-values-usage.asciidoc[] From 5238ec308f91a918ebab27be54f50330dbd31aa8 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 20 Jan 2021 15:26:42 -0600 Subject: [PATCH 03/10] refactoring --- docs/field-values-usage.asciidoc | 169 +++++++++++++++++++++++-------- 1 file changed, 125 insertions(+), 44 deletions(-) diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc index d5ce858141..dd69387459 100644 --- a/docs/field-values-usage.asciidoc +++ b/docs/field-values-usage.asciidoc @@ -1,69 +1,150 @@ [[ecs-categorization-values-usage]] -=== Event Categorization Examples +=== Categorization Usage -The following are examples use the four events categorization fields together. +The following are usage examples of populating the categorization fields. Using the categorization fields together helps identify and group common subsets of events. + +Each categorization example is based on an event from real-world data sources. Categorization fields should be populated using knowledge of each type of event a data source emits. [float] ==== Firewall blocked a network connection -[source,yaml] +Network firewalls generate events based on which network flows were allowed or denied based on the firewall's configuration. + +[source,json] ---- -event: - kind: event - category: - - network - type: - - connection - - denied - outcome: - - success +... + { + "source": { + "address": "10.42.42.42", + "ip": "10.42.42.42", + "port": 38842 + }, + "destination": { + "address": "10.42.42.1", + "ip": "10.42.42.1", + "port": 443 + }, + "rule": { + "name": "wan-lan", + "id": "default" + }, + ... + "event": { + "kind": "event", <1> + "category": [ <2> + "network" + ], + "type": [ <3> + "connection", + "denied" + ], + "outcome": "success", <4> + "action": "dropped" <5> + } + } +... +---- + +<1> The `event` value will be the most common and most general event `kind`. +<2> Event relates to network activity. +<3> The firewall blocked, dropped, or someway `denied` the attempted network `connection`. +<4> A blocked connection is expected based on the configuration of this firewall. The outcome is a `success` from the perspective of the firewall emitting the event. +<5> The data source describes this `denied` connection as `dropped`, which is best captured in `event.action`. + +A "denied" network connection falls under different actions: "blocked", "dropped", "quarantined". The `event.action` can capture the action taken by the source, and populating `event.type:denied` provides a normalized category which is independent of the source. + +Any network flows or connections that are "denied" can be searched with a single query: + +[source,sh] +---- +event.category:network AND event.type:denied ---- [float] -==== Failed attempt to add user account +==== Failed attempt to create a user account + +User `alice` attempts to add a user account, `bob`, into a directory service, but the action fails. -[source,yaml] +[source,json] ---- -event: - kind: event - category: - - iam - type: - - user - - creation - outcome: - - failure +{ + "user": { + "name": "alice", + "target": { + "name": "bob" + } + }, + "event": { + "kind": "event", + "category": [ <1> + "iam" + ], + "type": [ <2> + "user", + "creation" + ], + "outcome": "failure" <3> + } +} ---- +<1> Categorized using `iam` for an event user account activity. +<2> Both `user` and `creation` +<3> The creation of a user account was attempted, but it was not successful. + [float] -==== Gathering information about a file +==== Informational listing of a file -[source,yaml] +A utility, such as a file integrity monitoring (FIM) application, takes inventory of a file but does not access or modify the file. + +[source,json] ---- -event: - kind: event - category: - - iam - type: - - user - - creation - outcome: - - failure +{ + "file": { + "name": "example.png", + "owner": "alice", + "path": "/home/alice/example.png", + "type": "file" + }, + "event": { + "kind": "event", + "category": [ <1> + "file" + ], + "type": [ <2> + "info" + ] + } +} ---- +<1> A file was reported on +<2> The "info" type categorizes purely informational events. A file was listed but not accessed or modified. + [float] === Security application failed to block a network connection -[source,yaml] +An intrusion detection system (IDS) performing analysis on network connections and protocols attempts to block a connection but fails. + +[source,json] ---- -event: - kind: alert - category: - - intrustion_detection - - network - type: - - connection - - denied - outcome: failure +{ + "event": { + "kind": "alert", <1> + "category": [ <2> + "intrusion_detection", + "network" + ], + "type": [ <3> + "connection", + "denied" + ], + "outcome": "failure" <4> + } +} ---- +<1> The event was associated with a detection alert from an intrusion detection application. +<2> The data source is a network-based intrusion detection application. +<3> A network connection is associated with the event, and the IDS attempted action to deny the connection from continuing. +<4> The IDS application failed to deny the connection for some reason, resulting in `outcome: failure` From 35b507806e43635560ec4e2868c2d24f8877a88a Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 20 Jan 2021 15:26:42 -0600 Subject: [PATCH 04/10] refactoring --- docs/field-values-usage.asciidoc | 169 +++++++++++++++++++++++-------- docs/field-values.asciidoc | 11 +- 2 files changed, 135 insertions(+), 45 deletions(-) diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc index d5ce858141..dd69387459 100644 --- a/docs/field-values-usage.asciidoc +++ b/docs/field-values-usage.asciidoc @@ -1,69 +1,150 @@ [[ecs-categorization-values-usage]] -=== Event Categorization Examples +=== Categorization Usage -The following are examples use the four events categorization fields together. +The following are usage examples of populating the categorization fields. Using the categorization fields together helps identify and group common subsets of events. + +Each categorization example is based on an event from real-world data sources. Categorization fields should be populated using knowledge of each type of event a data source emits. [float] ==== Firewall blocked a network connection -[source,yaml] +Network firewalls generate events based on which network flows were allowed or denied based on the firewall's configuration. + +[source,json] ---- -event: - kind: event - category: - - network - type: - - connection - - denied - outcome: - - success +... + { + "source": { + "address": "10.42.42.42", + "ip": "10.42.42.42", + "port": 38842 + }, + "destination": { + "address": "10.42.42.1", + "ip": "10.42.42.1", + "port": 443 + }, + "rule": { + "name": "wan-lan", + "id": "default" + }, + ... + "event": { + "kind": "event", <1> + "category": [ <2> + "network" + ], + "type": [ <3> + "connection", + "denied" + ], + "outcome": "success", <4> + "action": "dropped" <5> + } + } +... +---- + +<1> The `event` value will be the most common and most general event `kind`. +<2> Event relates to network activity. +<3> The firewall blocked, dropped, or someway `denied` the attempted network `connection`. +<4> A blocked connection is expected based on the configuration of this firewall. The outcome is a `success` from the perspective of the firewall emitting the event. +<5> The data source describes this `denied` connection as `dropped`, which is best captured in `event.action`. + +A "denied" network connection falls under different actions: "blocked", "dropped", "quarantined". The `event.action` can capture the action taken by the source, and populating `event.type:denied` provides a normalized category which is independent of the source. + +Any network flows or connections that are "denied" can be searched with a single query: + +[source,sh] +---- +event.category:network AND event.type:denied ---- [float] -==== Failed attempt to add user account +==== Failed attempt to create a user account + +User `alice` attempts to add a user account, `bob`, into a directory service, but the action fails. -[source,yaml] +[source,json] ---- -event: - kind: event - category: - - iam - type: - - user - - creation - outcome: - - failure +{ + "user": { + "name": "alice", + "target": { + "name": "bob" + } + }, + "event": { + "kind": "event", + "category": [ <1> + "iam" + ], + "type": [ <2> + "user", + "creation" + ], + "outcome": "failure" <3> + } +} ---- +<1> Categorized using `iam` for an event user account activity. +<2> Both `user` and `creation` +<3> The creation of a user account was attempted, but it was not successful. + [float] -==== Gathering information about a file +==== Informational listing of a file -[source,yaml] +A utility, such as a file integrity monitoring (FIM) application, takes inventory of a file but does not access or modify the file. + +[source,json] ---- -event: - kind: event - category: - - iam - type: - - user - - creation - outcome: - - failure +{ + "file": { + "name": "example.png", + "owner": "alice", + "path": "/home/alice/example.png", + "type": "file" + }, + "event": { + "kind": "event", + "category": [ <1> + "file" + ], + "type": [ <2> + "info" + ] + } +} ---- +<1> A file was reported on +<2> The "info" type categorizes purely informational events. A file was listed but not accessed or modified. + [float] === Security application failed to block a network connection -[source,yaml] +An intrusion detection system (IDS) performing analysis on network connections and protocols attempts to block a connection but fails. + +[source,json] ---- -event: - kind: alert - category: - - intrustion_detection - - network - type: - - connection - - denied - outcome: failure +{ + "event": { + "kind": "alert", <1> + "category": [ <2> + "intrusion_detection", + "network" + ], + "type": [ <3> + "connection", + "denied" + ], + "outcome": "failure" <4> + } +} ---- +<1> The event was associated with a detection alert from an intrusion detection application. +<2> The data source is a network-based intrusion detection application. +<3> A network connection is associated with the event, and the IDS attempted action to deny the connection from continuing. +<4> The IDS application failed to deny the connection for some reason, resulting in `outcome: failure` diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index ca4679bab1..ed90c191d4 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -22,6 +22,13 @@ NOTE: If your events don't match any of these categorization values, you should leave the fields empty. This will ensure you can start populating the fields once the appropriate categorization values are published, in a later release. +[float] +[[ecs-category-usage]] +=== Categorization Usage + +<> contains examples combining the categorization fields to classify different types of events. + + [[ecs-allowed-values-event-kind]] === ECS Categorization Field: event.kind @@ -517,4 +524,6 @@ Indicates that this event describes a successful result. A common example is `ev Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated. -include::field-values-usage.asciidoc[] + + +include::field-values-usage.asciidoc[] \ No newline at end of file From 5a1b400e930db3be2af21b8266258de01bc3365c Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 28 Jan 2021 16:35:13 -0600 Subject: [PATCH 05/10] update title of usage page --- docs/field-values.asciidoc | 2 +- scripts/templates/field_values.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index ed90c191d4..0b40b191ec 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -26,7 +26,7 @@ once the appropriate categorization values are published, in a later release. [[ecs-category-usage]] === Categorization Usage -<> contains examples combining the categorization fields to classify different types of events. +<> contains examples combining the categorization fields to classify different types of events. [[ecs-allowed-values-event-kind]] diff --git a/scripts/templates/field_values.j2 b/scripts/templates/field_values.j2 index 71a65a6642..488a2793e9 100644 --- a/scripts/templates/field_values.j2 +++ b/scripts/templates/field_values.j2 @@ -26,7 +26,7 @@ once the appropriate categorization values are published, in a later release. [[ecs-category-usage]] === Categorization Usage -<> contains examples combining the categorization fields to classify different types of events. +<> contains examples combining the categorization fields to classify different types of events. {% for field in fields %} [[ecs-allowed-values-{{ field['dashed_name'] }}]] From dfa32d68e1daa197a030f57cb5bb7587d29e006f Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 28 Jan 2021 16:35:23 -0600 Subject: [PATCH 06/10] revisions --- docs/field-values-usage.asciidoc | 79 ++++++++++++++++++++------------ 1 file changed, 50 insertions(+), 29 deletions(-) diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc index dd69387459..c8a469fb97 100644 --- a/docs/field-values-usage.asciidoc +++ b/docs/field-values-usage.asciidoc @@ -1,14 +1,23 @@ -[[ecs-categorization-values-usage]] -=== Categorization Usage +[[ecs-using-the-categorization-fields]] +=== Using the Categorization Fields -The following are usage examples of populating the categorization fields. Using the categorization fields together helps identify and group common subsets of events. +The event categorization fields work together to identify and group similar events from multiple data sources. -Each categorization example is based on an event from real-world data sources. Categorization fields should be populated using knowledge of each type of event a data source emits. +These general principles can help guide the categorization process: + +* Events from multiple data sources that are similar enough to be viewed or analyzed together, should fall into the same `event.category` field. +* Both `event.category` and `event.type` may be populated with multiple allowed values, if the event can be reasonably classified into more than one category and/or subcategory. +* Values of `event.outcome` are a very limited set to indicate success or failure. Domain-specific actions, such as deny and allow, that could be considered outcomes are not + captured in the `event.outcome` field, but rather in the `event.type` and/or `event.action` fields. +* Values of `event.category`, `event.type`, and `event.outcome` are consistent across all values of `event.kind`. +* When a specific event doesn't fit into any of the defined allowed categorization values, the field should be left empty. + +The following examples detail populating the categorization fields and provides some context for the classification decisions. [float] -==== Firewall blocked a network connection +==== Firewall blocking a network connection -Network firewalls generate events based on which network flows were allowed or denied based on the firewall's configuration. +This event from a firewall describes a successfully blocked network connection: [source,json] ---- @@ -45,15 +54,15 @@ Network firewalls generate events based on which network flows were allowed or d ... ---- -<1> The `event` value will be the most common and most general event `kind`. -<2> Event relates to network activity. -<3> The firewall blocked, dropped, or someway `denied` the attempted network `connection`. -<4> A blocked connection is expected based on the configuration of this firewall. The outcome is a `success` from the perspective of the firewall emitting the event. -<5> The data source describes this `denied` connection as `dropped`, which is best captured in `event.action`. +<1> Classifying as an `event`. +<2> `event.category` categorizes this event as `network` activity. +<3> The event was both an attempted network `connection` which was `denied`. +<4> The blocking of this connection is expected. The outcome is a `success` from the perspective of the firewall emitting the event. +<5> The firewall classifies this denied connection as `dropped`, and this value is captured in `event.action`. -A "denied" network connection falls under different actions: "blocked", "dropped", "quarantined". The `event.action` can capture the action taken by the source, and populating `event.type:denied` provides a normalized category which is independent of the source. +A "denied" network connection could fall under different action values: "blocked", "dropped", "quarantined", etc. The `event.action` field captures the action taken as described by the source, and populating `event.type:denied` provides an independent, normalized value. -Any network flows or connections that are "denied" can be searched with a single query: +A single query will return all denied network connections which have been normalized with the same categorization values: [source,sh] ---- @@ -63,7 +72,7 @@ event.category:network AND event.type:denied [float] ==== Failed attempt to create a user account -User `alice` attempts to add a user account, `bob`, into a directory service, but the action fails. +User `alice` attempts to add a user account, `bob`, into a directory service, but the action fails: [source,json] ---- @@ -75,27 +84,28 @@ User `alice` attempts to add a user account, `bob`, into a directory service, bu } }, "event": { - "kind": "event", - "category": [ <1> + "kind": "event", <1> + "category": [ <2> "iam" ], - "type": [ <2> + "type": [ <3> "user", "creation" ], - "outcome": "failure" <3> + "outcome": "failure" <4> } } ---- -<1> Categorized using `iam` for an event user account activity. -<2> Both `user` and `creation` -<3> The creation of a user account was attempted, but it was not successful. +<1> Again classifying as an `event`. +<2> Categorized using `iam` for an event user account activity. +<3> Both `user` and `creation` +<4> The creation of a user account was attempted, but it was not successful. [float] ==== Informational listing of a file -A utility, such as a file integrity monitoring (FIM) application, takes inventory of a file but does not access or modify the file. +A utility, such as a file integrity monitoring (FIM) application, takes inventory of a file but does not access or modify the file: [source,json] ---- @@ -118,17 +128,28 @@ A utility, such as a file integrity monitoring (FIM) application, takes inventor } ---- -<1> A file was reported on -<2> The "info" type categorizes purely informational events. A file was listed but not accessed or modified. +<1> The event is reporting on a `file`. +<2> The `info` type categorizes purely informational events. The target file here was not accessed or modified. [float] === Security application failed to block a network connection -An intrusion detection system (IDS) performing analysis on network connections and protocols attempts to block a connection but fails. +An intrusion detection system (IDS) attempts to block a connection but fails. The event emitted by the IDS is considered an alert: [source,json] ---- { + "source": { + "address": "10.42.42.42", + "ip": "10.42.42.42", + "port": 38842 + }, + "destination": { + "address": "10.42.42.1", + "ip": "10.42.42.1", + "port": 443 + }, + ... "event": { "kind": "alert", <1> "category": [ <2> @@ -144,7 +165,7 @@ An intrusion detection system (IDS) performing analysis on network connections a } ---- -<1> The event was associated with a detection alert from an intrusion detection application. -<2> The data source is a network-based intrusion detection application. -<3> A network connection is associated with the event, and the IDS attempted action to deny the connection from continuing. -<4> The IDS application failed to deny the connection for some reason, resulting in `outcome: failure` +<1> The IDS emitted this event when a detection rule generated an alert. The `event.type` is set to `alert`. +<2> With the event emitted from a network IDS device, the event is categorized both as `network` and `intrusion_detection`. +<3> The alert event is a `connection` that was `denied` by the IDS' configuration. +<4> The IDS experience an issue when attempting to deny the connection. Since the action taken by the IDS failed, the outcome is set as `failure`. From 56a1cce9d49d14a5245cc129efe7871e85a66ddf Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 4 Feb 2021 16:26:54 -0600 Subject: [PATCH 07/10] event.type => event.kind --- docs/field-values-usage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc index c8a469fb97..92e7c6ba41 100644 --- a/docs/field-values-usage.asciidoc +++ b/docs/field-values-usage.asciidoc @@ -165,7 +165,7 @@ An intrusion detection system (IDS) attempts to block a connection but fails. Th } ---- -<1> The IDS emitted this event when a detection rule generated an alert. The `event.type` is set to `alert`. +<1> The IDS emitted this event when a detection rule generated an alert. The `event.kind` is set to `alert`. <2> With the event emitted from a network IDS device, the event is categorized both as `network` and `intrusion_detection`. <3> The alert event is a `connection` that was `denied` by the IDS' configuration. <4> The IDS experience an issue when attempting to deny the connection. Since the action taken by the IDS failed, the outcome is set as `failure`. From 61a0c25dbea1b7c5ef3740ded3c61e576178f75f Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 4 Feb 2021 16:33:51 -0600 Subject: [PATCH 08/10] incorporate additional points --- docs/field-values-usage.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc index 92e7c6ba41..8927cc14b0 100644 --- a/docs/field-values-usage.asciidoc +++ b/docs/field-values-usage.asciidoc @@ -6,7 +6,8 @@ The event categorization fields work together to identify and group similar even These general principles can help guide the categorization process: * Events from multiple data sources that are similar enough to be viewed or analyzed together, should fall into the same `event.category` field. -* Both `event.category` and `event.type` may be populated with multiple allowed values, if the event can be reasonably classified into more than one category and/or subcategory. +* Both `event.category` and `event.type` are arrays and may be populated with multiple allowed values, if the event can be reasonably classified into more than one category and/or type. +* `event.kind`, `event.category`, `event.type` and `event.outcome` all have allowed values. This is to normalize these fields. Values that aren't in the list of allowed values should not be used. * Values of `event.outcome` are a very limited set to indicate success or failure. Domain-specific actions, such as deny and allow, that could be considered outcomes are not captured in the `event.outcome` field, but rather in the `event.type` and/or `event.action` fields. * Values of `event.category`, `event.type`, and `event.outcome` are consistent across all values of `event.kind`. From 15e7ac7ff78c3c5f304825d954fbdebfb41be7f0 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 4 Feb 2021 16:52:21 -0600 Subject: [PATCH 09/10] aligning with other examples --- docs/field-values-usage.asciidoc | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc index 8927cc14b0..ec6982ec91 100644 --- a/docs/field-values-usage.asciidoc +++ b/docs/field-values-usage.asciidoc @@ -118,19 +118,22 @@ A utility, such as a file integrity monitoring (FIM) application, takes inventor "type": "file" }, "event": { - "kind": "event", - "category": [ <1> + "kind": "event", <1> + "category": [ <2> "file" ], - "type": [ <2> + "type": [ <3> "info" ] } } ---- -<1> The event is reporting on a `file`. -<2> The `info` type categorizes purely informational events. The target file here was not accessed or modified. +<1> Classifying as `event`. +<2> The event is reporting on a `file`. +<3> The `info` type categorizes purely informational events. The target file here was not accessed or modified. + +The source data didn't include any context around the event's outcome, so `event.outcome` should not be populated. [float] === Security application failed to block a network connection From 56dd657bb4a3e2801e069567c3114c0745f055db Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 10 Feb 2021 14:09:50 -0600 Subject: [PATCH 10/10] grammar corrections --- docs/field-values-usage.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc index ec6982ec91..88905ba3bc 100644 --- a/docs/field-values-usage.asciidoc +++ b/docs/field-values-usage.asciidoc @@ -57,7 +57,7 @@ This event from a firewall describes a successfully blocked network connection: <1> Classifying as an `event`. <2> `event.category` categorizes this event as `network` activity. -<3> The event was both an attempted network `connection` which was `denied`. +<3> The event was both an attempted network `connection` and was `denied`. <4> The blocking of this connection is expected. The outcome is a `success` from the perspective of the firewall emitting the event. <5> The firewall classifies this denied connection as `dropped`, and this value is captured in `event.action`. @@ -172,4 +172,4 @@ An intrusion detection system (IDS) attempts to block a connection but fails. Th <1> The IDS emitted this event when a detection rule generated an alert. The `event.kind` is set to `alert`. <2> With the event emitted from a network IDS device, the event is categorized both as `network` and `intrusion_detection`. <3> The alert event is a `connection` that was `denied` by the IDS' configuration. -<4> The IDS experience an issue when attempting to deny the connection. Since the action taken by the IDS failed, the outcome is set as `failure`. +<4> The IDS experienced an issue when attempting to deny the connection. Since the action taken by the IDS failed, the outcome is set as `failure`.