On the Host tab of the SIEM app, there's a visualization that counts authentication events using the following logic:
{
"aggs": {
"authentication_success": {
"filter": {
"term": {
"event.type": "authentication_success"
}
}
},
"authentication_success_histogram": {
"auto_date_histogram": {
"field": "@timestamp",
"buckets": "6"
},
"aggs": {
"count": {
"filter": {
"term": {
"event.type": "authentication_success"
}
}
}
}
},
"authentication_failure": {
"filter": {
"term": {
"event.type": "authentication_failure"
}
}
},
"authentication_failure_histogram": {
"auto_date_histogram": {
"field": "@timestamp",
"buckets": "6"
},
"aggs": {
"count": {
"filter": {
"term": {
"event.type": "authentication_failure"
}
}
}
}
}
},
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [],
"filter": [
{
"match_all": {}
}
],
"should": [],
"must_not": []
}
},
{
"bool": {
"filter": [
{
"term": {
"event.category": "authentication"
}
}
]
}
},
{
"range": {
"@timestamp": {
"gte": 1580093412414,
"lte": 1580266212415
}
}
}
]
}
},
"size": 0,
"track_total_hits": false
}
Notice how the query is looking for event.type to have a value of authentication_success or authentication_failure. But per the ECS docs, the only permitted values are access, change, creation, deletion, end, error, info, installation, or start.
What should I set the value for that field to be?