I'm currently working on an application that will generate asset tracking and scanning data, and one of the outputs I'm building will use the ECS standard where possible.
There are broadly two kind of events being generated:
The first, is an asset event, where a new discrete asset has been discovered (like an IP address or FQDN). For these types, my current thinking is to use the host field set, which seems to map pretty logically.
The second, is a scanning event, where a scanning platform has either discovered something new (like an open port) or it might have spotted the change in state of something existing (like a port going from closed to open, or a TLS certificate being renewed).
From my reading of the current ECS, it feels like it is geared toward mapping connections rather than endpoint state.
My current thinking is to use the network and destination field sets, which cover almost all the information, but seem to lack any mechanism for recording the actual state of the destination.
I obviously understand I can just add fields as I wish, but my goal really is to make the output as useable as possible for the consumer, with minimal configuration required.