Summary
The event.category field is missing from Asset Discovery logs, which is essential for better event classification. SIEM Readiness uses this field to categorize logs.
Required changes
1. Add event.category
Use the ECS allowed values for event.category when publishing Asset Discovery events. Supported values include:
apiauthenticationconfigurationdatabasedriveremailfilehostiamintrusion_detectionlibrarymalwarenetworkpackageprocessregistrysessionthreatvulnerabilityweb
Choose the value(s) that best match each Asset Discovery event type.
2. Add event.kind
Set event.kind to asset on published events so Entity Store can correctly treat them as asset events when extracting users in the entity store (see ECS event.kind — asset).
3. Add event.module
Optional
Consider adding event.type and other ECS fields that would improve classification and downstream use (e.g. SIEM Readiness, Entity Store).
References
Summary
The
event.categoryfield is missing from Asset Discovery logs, which is essential for better event classification. SIEM Readiness uses this field to categorize logs.Required changes
1. Add
event.categoryUse the ECS allowed values for
event.categorywhen publishing Asset Discovery events. Supported values include:apiauthenticationconfigurationdatabasedriveremailfilehostiamintrusion_detectionlibrarymalwarenetworkpackageprocessregistrysessionthreatvulnerabilitywebChoose the value(s) that best match each Asset Discovery event type.
2. Add
event.kindSet
event.kindtoasseton published events so Entity Store can correctly treat them as asset events when extracting users in the entity store (see ECSevent.kind— asset).3. Add
event.moduleOptional
Consider adding
event.typeand other ECS fields that would improve classification and downstream use (e.g. SIEM Readiness, Entity Store).References
event.category: https://www.elastic.co/docs/reference/ecs/ecs-allowed-values-event-categoryevent.kind(asset): https://www.elastic.co/docs/reference/ecs/ecs-allowed-values-event-kind#ecs-event-kind-asset