Device types that don't fit into any of the available os.type values #2561
Description
Summary:
Multiple device types with "operating systems" that don't fit into the 6 available os.type values have been identified by the Microsoft Defender for Endpoint (MDE) integration:
- "ESXi" - VMware ESXi is not a standard Linux, Unix, or Android operating system. Instead, it uses a unique, proprietary operating system kernel called the VMkernel, which is a type-1 or "bare-metal" hypervisor.
- "Haiku" - Haiku is not a Linux, Unix or Android operating system; it is a unique, open-source OS that is a spiritual successor to BeOS. Thus, Haiku is its own unique, ground-up implementation of an operating system inspired by the design philosophy of BeOS.
- "Integrated Lights Out Manager (ILOM)" - Oracle Integrated Lights Out Manager (ILOM) runs its own embedded operating system, separate from the server's host operating system.
Motivation:
If it's desired for events from these devices to be included in buckets/aggregations/visualizations, the os.type field shouldn't be left blank, but they don't really fit into any of the accepted values for the field.
Detailed Design:
There should be some kind of way to fit these devices into os.type, whether it's by adding each of their respective types as an accepted value for the field, or perhaps adding a value that could include all 3 of them. Given that these device types are rather obscure/rare compared to the other accepted values, would it make sense to add some kind of 'other' value to os.type? Or would there be a better way to approach this?