Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add event.reason field #907

Merged
merged 5 commits into from
Aug 6, 2020
Merged

Add event.reason field #907

merged 5 commits into from
Aug 6, 2020

Conversation

ebeahan
Copy link
Member

@ebeahan ebeahan commented Aug 4, 2020

Summary

Adds a new field under event.*, event.reason, which provides a location to capture the reason why an event occurred.

Example usage

  • A web proxy event shows a denied connection request. event.action:"request-denied" describes the action captured and why the action took place is captured in event.reason:"Blocked site: example.com"
  • An endpoint agent terminates a process on a host system. event.action:"process-terminated" with reason describing why as event.reason:"Terminated an unexpected process"`

Discussion Points

Two items I wanted to call to attention:

  1. event.reason is currently defined as type: extended. This felt most appropriate starting off.
  2. A text multi-field is included. event.reason could possibly hold a longer string (e.g. File Sharing site URL blocked).

Closes #613

@ebeahan ebeahan self-assigned this Aug 4, 2020
@ebeahan ebeahan marked this pull request as ready for review August 4, 2020 20:12
@ebeahan ebeahan requested a review from webmat August 4, 2020 20:12
webmat
webmat reviewed Aug 4, 2020
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good so far. I agree with adding this as extended.

schemas/event.yml Outdated
- name: reason
level: extended
type: keyword
short: The reason captured by the event
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should phrase this more naturally. E.g.

"Reason why this event happened, according to the source"

schemas/event.yml Outdated
Comment on lines 720 to 722
multi_fields:
- type: text
name: text
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we expect event.reason to be complex often enough to warrant this? Not opposed to this, just wondering out loud :-)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a similar internal debate...

I can see value in having the text indexing available since event.reason could possibly be longer string (e.g. something like this Okta event), but the extra complexity may not be warranted the majority of the time.

As I type this out, I'm leaning towards removing the multi-field. If a user was trying to search for allowed events across sources using event.reason.text:allow, using the categorization fields like `event.type:"allowed" would be the better practice to encourage I think.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's remove it for now. Adding .text later is non-breaking, so it'll be fine if it becomes necessary.

Also, I think this will be one of the fields we move to wildcard ultimately. I'm sure we'll get to wildcard before there's a need to add the .text interim solution.

@ebeahan ebeahan added 1.6.0 ready Issues we'd like to address in the future. labels Aug 4, 2020
@webmat
Copy link
Contributor

webmat commented Aug 6, 2020

CI fails because you're missing a make run. I think after .text is removed this will be ready.

@ebeahan
Copy link
Member Author

ebeahan commented Aug 6, 2020

@webmat should be good to merge if you wanna give it once last 👀

webmat
webmat approved these changes Aug 6, 2020
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ebeahan ebeahan merged commit 23750ee into elastic:master Aug 6, 2020
@ebeahan ebeahan deleted the add-event-reason branch August 6, 2020 14:44
@leehinman leehinman mentioned this pull request Aug 18, 2020
Closed
22 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat approved these changes

Assignees

@ebeahan ebeahan

Labels
1.6.0 ready Issues we'd like to address in the future.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

event reason?
2 participants
@ebeahan @webmat