ECS mappings for asset tracking and port scanning output

Hey chaps,

I'm currently working on an application that will generate asset tracking and scanning data, and one of the outputs I'm building will use the ECS standard where possible.

There are broadly two kind of events being generated:

The first, is an asset event, where a new discrete asset has been discovered (like an IP address or FQDN). For these types, my current thinking is to use the host field set, which seems to map pretty logically.

The second, is a scanning event, where a scanning platform has either discovered something new (like an open port) or it might have spotted the change in state of something existing (like a port going from closed to open, or a TLS certificate being renewed).

From my reading of the current ECS, it feels like it is geared toward mapping connections rather than endpoint state.

My current thinking is to use the network and destination field sets, which cover almost all the information, but seem to lack any mechanism for recording the actual state of the destination.

I obviously understand I can just add fields as I wish, but my goal really is to make the output as useable as possible for the consumer, with minimal configuration required.

Any thoughts?

TIA

You're right that ECS currently doesn't currently have much in terms of tracking the state, or state transitions (other than service.state). Nor do we offer much in terms of entity indices (one entry per asset, as opposed to one per event/log/metric). We will be going in both of these directions in the future, but we can't give you much specific guidance for now. We haven't started down that path yet.

One thing you could do for now is try Uptime and look at its events. This tool also scans assets periodically and reports on their state, like you're doing.

Finally, the existing ECS fields you plan on using make sense to me, I think you're on the right track. And anything that's not covered by ECS can -- as you say -- be captured in additional custom fields (here's our tips to avoid naming conflicts).