Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add asset sub-fields #131

Open
miwent opened this issue Aug 18, 2023 · 0 comments
Open

Add asset sub-fields #131

miwent opened this issue Aug 18, 2023 · 0 comments
Assignees
@miwent
Labels
needs-discussion schema Graylog Schema triaged

Comments

@miwent
Copy link
Collaborator

miwent commented Aug 18, 2023

Please describe what you are requesting
Add an asset sub-field type with fields such as:
..._asset_ip
..._asset_mac
..._asset_owner
..._asset_location
..._asset_location

Look at existing schema fields and consider other sources of data.

Describe what change you are proposing
Adding asset information will expand our schema to further integrate with the asset functionality being built into Graylog Security. Normalizing these fields can be part of the processing sequence to help ease the adoption of asset data integration.

Describe the log source
Many.

Attach any sample logs or examples for details
For example, Winlogbeat can include host information such as:

  "winlogbeat_host_architecture": "x86_64",
  "winlogbeat_host_hostname": "desktop-fnv6te0",
  "winlogbeat_host_id": "23fd01a8-11d4-44cd-8be9-774d7e1b68a5",
  "winlogbeat_host_ip": "[\"fe80::a5b6:c5c5:c4d2:74c5\",\"172.16.14.33\",\"fe80::fe1a:1ae7:f79c:6bad\",\"169.254.131.73\",\"fe80::e336:e318:634:670b\",\"169.254.40.184\",\"fe80::c115:dfaf:1982:7b84\",\"17.16.14.1\",\"fe80::7010:25d:f784:9f71\",\"172.16.15.20\"]",
  "winlogbeat_host_mac": "[\"00-50-56-C0-00-01\",\"00-50-56-C0-00-08\",\"00-50-56-C0-00-0B\",\"0A-00-27-00-00-07\",\"F8-B1-56-BA-D6-BD\"]",

This information should does not necessarily fit in context with fields like source_ip, destination_ip, etc. since that information is contextual to an actual network connection between a source and a host. Adding it as additional ..._asset_... sub-field(s) can provide normalized data to a potential asset pack which can supply this data to the asset functionality in Graylog Security.
@miwent miwent self-assigned this Aug 23, 2023
@miwent miwent added the triaged label Aug 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miwent miwent

Labels
needs-discussion schema Graylog Schema triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miwent