Description
Summary
Admin and user activity audit tracking are very common usecases. Activity verb (what action happened) is well defined in the event.type field but ECS is lacking defined standardised object field (on which object the action happened). It would be extremely useful to have a field that would identify and describe the object (or item or entity).
Motivation - Use Cases
Monitor Administrator Activity (valid for Devices, Applications)
Monitoring administrator activity is required by most IT security standards and best practices. This applies both to standalone IT appliances and distributed systems / applications. Auditors are usually interested in user and permission configuration (already covered by user and event.action fields) and then the rest of the configuration changes. The auditing here is tricky, but could be elegantly simplified by auditing creation, changes and deleting of configuration object / items / entities. This could be solved by adding ECS fields that could describe a type, identification and name / description of configuration items. Please see suggestions and examples below.
Monitor User Activity and Access to Sensitive Data (valid primarily for Applications)
Our internal corporate requirements for application logging state that applications that store or process sensitive (e.g. confidential) data should log user actions. Similar to the case above, this could be simplified by identifying a business object / entity / item and then track creation, change, access, and deletion. Please see examples below.
Design - Request for ECS Addition
Suggested Solution - Option 1 - Separate Configuration and Business Usecase
configuration.entity.type
configuration.entity.id
configuration.entity.name
(other possible names: entity, item, object)
business.entity.type
business.entity.id
business.entity.name
(other possible names: entity, item, object)
Suggested Solution - Option 2 - Universal Field
entity.type
entity.id
entity.name
(other possible names: entity, item, object)
Examples
Suggested Option 1
Admin creates a firewall rule:
{"@timestamp":"2024-10-20T07:11:17.2324578+00:00","configuration":{"entity":{"type":"fw-rule","name":"Prohibit access to Facebook","id":"LANWAN123"}},"log":{"type":"audit","level":"info"},"event":{"kind":"event","type":["creation"],"action":"created-fw-rule","outcome":"success"},"user":{"name":"admin"},"client":{"ip":"10.2.3.4"},"message":"User admin created a rule LANWAN123","related":{"user":["admin"],"ip":["10.2.3.4"]},"ecs":{"version":"8.20.0"}}
Power User (Fred) removes a camera from the configuration of an IP CCTV System:
{"@timestamp":"2024-10-20T07:11:17.2324578+00:00","configuration":{"entity":{"type":"camera","name":"NorthWest Yard","id":"008"}},"log":{"type":"audit","level":"info"},"event":{"kind":"event","type":["deletion"],"action":"deleted-camera","outcome":"success"},"user":{"name":"fred"},"client":{"ip":"10.2.3.4"},"message":"User fred deleted camera 008","related":{"user":["fred"],"ip":["10.2.3.4"]},"ecs":{"version":"8.20.0"}}
User bfu accesses a confidential record (not a file):
{"@timestamp":"2024-10-20T07:11:17.2324578+00:00","business":{"entity":{"type":"record","name":"AngryCutomer 2024/09/22:14:00","id":"00123456"}},"log":{"type":"audit","level":"info"},"event":{"kind":"event","type":["access"],"action":"accessed-record","outcome":"success"},"user":{"name":"bfu"},"client":{"ip":"10.2.3.4"},"message":"User bfu accessed record 00123456","related":{"user":["bfu"],"ip":["10.2.3.4"]},"ecs":{"version":"8.20.0"}}
User bfu deleted a ticket in a CRM system:
"@timestamp":"2024-10-20T07:11:17.2324578+00:00","business":{"entity":{"type":"ticket","name":"Sales Opportunity - Amazon","id":"Lead123456"}},"log":{"type":"audit","level":"info"},"event":{"kind":"event","type":["deletion"],"action":"deleted-ticket","outcome":"success"},"user":{"name":"bfu"},"client":{"ip":"10.2.3.4"},"message":"User bfu deleted ticket Lead123456","related":{"user":["bfu"],"ip":["10.2.3.4"]},"ecs":{"version":"8.20.0"}}
Suggested Option 2
Admin creates a firewall rule:
{"@timestamp":"2024-10-20T07:11:17.2324578+00:00","entity":{"type":"fw-rule","name":"Prohibit access to Facebook","id":"LANWAN123"},"log":{"type":"audit","level":"info"},"event":{"kind":"event","type":["creation"],"action":"created-fw-rule","outcome":"success"},"user":{"name":"admin"},"client":{"ip":"10.2.3.4"},"message":"User admin created a rule LANWAN123","related":{"user":["admin"],"ip":["10.2.3.4"]},"ecs":{"version":"8.20.0"}}
Power User (Fred) removes a camera from the configuration of an IP CCTV System:
{"@timestamp":"2024-10-20T07:11:17.2324578+00:00","entity":{"type":"camera","name":"NorthWest Yard","id":"008"},"log":{"type":"audit","level":"info"},"event":{"kind":"event","type":["deletion"],"action":"deleted-camera","outcome":"success"},"user":{"name":"fred"},"client":{"ip":"10.2.3.4"},"message":"User fred deleted camera 008","related":{"user":["fred"],"ip":["10.2.3.4"]},"ecs":{"version":"8.20.0"}}
User bfu accesses a confidential record (not a file):
{"@timestamp":"2024-10-20T07:11:17.2324578+00:00","entity":{"type":"record","name":"AngryCutomer 2024/09/22:14:00","id":"00123456"},"log":{"type":"audit","level":"info"},"event":{"kind":"event","type":["access"],"action":"accessed-record","outcome":"success"},"user":{"name":"bfu"},"client":{"ip":"10.2.3.4"},"message":"User bfu accessed record 00123456","related":{"user":["bfu"],"ip":["10.2.3.4"]},"ecs":{"version":"8.20.0"}}
User bfu deleted a ticket in a CRM system:
{"@timestamp":"2024-10-20T07:11:17.2324578+00:00","entity":{"type":"ticket","name":"Sales Opportunity - Amazon","id":"Lead123456"},"log":{"type":"audit","level":"info"},"event":{"kind":"event","type":["deletion"],"action":"deleted-ticket","outcome":"success"},"user":{"name":"bfu"},"client":{"ip":"10.2.3.4"},"message":"User bfu deleted ticket Lead123456","related":{"user":["bfu"],"ip":["10.2.3.4"]},"ecs":{"version":"8.20.0"}}