I'm currently working on implementing ECS but i'm stuck with IPS Logs.
As many Antivirus, IPS, HIPS and other detection softwares, my IPS generate logs containing "Application" information and behavior thought network monitoring. Logs about "Application" can contain many usefull information like :
- Application Name
- Application Category
- Application ID
- Application Risk
- Application Path
I can't really find a Field Set where I can put this kind of information. The closer one should be "Service" Field set but for me this information are not really related to a service. I can also put "Application Name" in "network.application" field, but it's not really accurate.
Does someone has ever face this issue ? Could someone give me an advise on that ?
Another similar point is about AV/HIPS/IPS/... Signature, I have information about :
- Signature Name
- Signature ID
- Signature Reference
- Signature Payload
I plan to use the "Obsever" Field Set for this kind of information and create fields like "observer.signature.name", "observer.signature.id", etc...
Is it really relevant to use this Field Set in for this case ?
Thanks you !