Cisco Filebeat module (umbrella) - Improve ECS utilization

We are ingesting Cisco Umbrella data into our Elasticsearch for search, detection in Elastic Security and visualization through Kibana. However, we have noticed a few specific fields where the Cisco module does not optimally utilize ECS.

Note: we are running filebeat version 8.1.3, but have noticed that none of the newer releases solves our issues.

Umbrella

  • cisco.umbrella.identities
    • ECS fields: related.hosts | host.name
    • Suggestion: Identities, which represent a host, are added to the related.user field. This field should not be used and instead the data should populate host.name and related.hosts. Additionally, the data in source.user.name is also a host and should be removed.
  • message
    • ECS fields: related.hosts
    • Suggestion: The message field is currently just a collection of various data concatenated together and utilizes and does not give much value in Kibana. Some of the data in the message field is already present in other data fields as well. One useful improvement here would be to ensure that all hosts, which appear in the message field, are added to the related.hosts field.
  • destination.domain | related.hosts
    • ECS fields: url.domain | url.extension | url.subdomain
    • Suggestion: The related URL is currently added to the destination.domain field. This data should be parsed and used to populate the url.domain, url.extension and url.subdomain fields. Domains/URLs should not be added to the related.hosts field.

Additionally, we believe the ECS specification should be improved with the introduction of a new field within the Related fields section. Certain third-party data sources, the Cisco module included, send events where multiple URLs are present. An optimal solution would be to add this data to a related.url field.

Per your other topics, you might be better off putting this feature request into an issue on GitHub.

I have gone ahead and opened an issue (duplicate post) on GitHub as well:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.