Conflict between ECS and SIEM authentication events visualization

wconnell · January 29, 2020, 2:53am

On the Host tab of the SIEM app, there's a visualization that counts authentication events using the following logic:

{
  "aggs": {
    "authentication_success": {
      "filter": {
        "term": {
          "event.type": "authentication_success"
        }
      }
    },
    "authentication_success_histogram": {
      "auto_date_histogram": {
        "field": "@timestamp",
        "buckets": "6"
      },
      "aggs": {
        "count": {
          "filter": {
            "term": {
              "event.type": "authentication_success"
            }
          }
        }
      }
    },
    "authentication_failure": {
      "filter": {
        "term": {
          "event.type": "authentication_failure"
        }
      }
    },
    "authentication_failure_histogram": {
      "auto_date_histogram": {
        "field": "@timestamp",
        "buckets": "6"
      },
      "aggs": {
        "count": {
          "filter": {
            "term": {
              "event.type": "authentication_failure"
            }
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_all": {}
              }
            ],
            "should": [],
            "must_not": []
          }
        },
        {
          "bool": {
            "filter": [
              {
                "term": {
                  "event.category": "authentication"
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1580093412414,
              "lte": 1580266212415
            }
          }
        }
      ]
    }
  },
  "size": 0,
  "track_total_hits": false
}

Notice how the query is looking for event.type to have a value of authentication_success or authentication_failure. But per the ECS docs, the only permitted values are access, change, creation, deletion, end, error, info, installation, or start.

What should I set the value for that field to be?

Mike_Paquette · January 29, 2020, 12:46pm

Hi Wes,

You are correct - there is a conflict here.
The logic used to populate the authentication widget in the SIEM app pre-dates the introduction of ECS 1.4 (where the values of ECS field event.type are specified), and needs to be updated.

As of ECS 1.4, the ECS-compatible mapping of authentication events will now require three categorization fields, for example:
event.category:"authentication" (no change)
event.type:"start"
event.outcome:"failure"

We're planning to update the SIEM app in a future release to handle the ECS 1.4 implementation, so I'd recommend following the ECS spec.

Thanks for bringing this up.

wconnell · January 29, 2020, 7:16pm

Good to know - thanks so much!

system · February 26, 2020, 7:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authentication fields used by SIEM vs ECS SIEM ecs-elastic-common-schema	4	1159	January 3, 2020
Difference between (event.module: system - event.action: user_login) AND (event.module: auditd - event.action: logged-in) SIEM ecs-elastic-common-schema , detection-rules	3	823	August 24, 2021
Security events and rules matching SIEM	3	502	August 23, 2022
Authentications tab shows "All values returned zero" SIEM	15	1320	October 6, 2020
SIEM Events/All Events Tables Empty SIEM	2	497	August 10, 2020

Conflict between ECS and SIEM authentication events visualization

Related topics