for our use case is sometimes important to include fields not present in Elastic Common Schema. There are two main cases:
Fields that conceptually belong an existing ECS fieldset, but are not included to ECS 1.1; an example is "protocol_number", an integer that a firewall assigns to a network protocol. Would it be OK to map this field to network.protocol_id, although this field does not exist in the ECS network fieldset? Another example is "service_id" a string identifying a service that a firewall finds on the destination port of the connection. Would it be OK to map this field to destination.service, although this field does not exist in the ECS destination fieldset?
Fields that conceptually do not belong to any existing ECS fieldset, such as "Operation Number", an integer identifying an operation performed by a firewall administrator. Would you recommend to (i) keep this field as is, just renamed using ECS guidelines, i.e. operation_number, (ii) or use a custom prefix, such as audit.operation_number?