We are ingesting Cisco Umbrella data into our Elasticsearch for search, detection in Elastic Security and visualization through Kibana. However, we have noticed a few specific fields where the Cisco module does not optimally utilize ECS.
Note: we are running filebeat version 8.1.3, but have noticed that none of the newer releases solves our issues.
Umbrella
cisco.umbrella.identities
ECS fields: related.hosts | host.name
Suggestion: Identities, which represent a host, are added to the related.user field. This field should not be used and instead the data should populate host.name and related.hosts. Additionally, the data in source.user.name is also a host and should be removed.
message
ECS fields: related.hosts
Suggestion: The message field is currently just a collection of various data concatenated together and utilizes and does not give much value in Kibana. Some of the data in the message field is already present in other data fields as well. One useful improvement here would be to ensure that all hosts, which appear in the message field, are added to the related.hosts field.
Suggestion: The related URL is currently added to the destination.domain field. This data should be parsed and used to populate the url.domain, url.extension and url.subdomain fields. Domains/URLs should not be added to the related.hosts field.
Additionally, we believe the ECS specification should be improved with the introduction of a new field within the Related fields section. Certain third-party data sources, the Cisco module included, send events where multiple URLs are present. An optimal solution would be to add this data to a related.url field.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.