I am running into two issues with the Network Events.
The first issue is that HTTPS traffic is not getting identified as HTTPS traffic and is has an empty http.request.body.content and most HTTP traffic is the same.
The other issue is that the http.request.body.content does not get parsed (when it does exist) like Packetbeat does therefore some dashboards do not work. For example, when drilling down into an IP from the network map in the SIEM, you will not see HTTP Requests associated with that IP since several fields do not exist such as http.request.method.
Is there a way to get this data parsed like Packetbeat or is Packetbeat the only way to get this functionality?
Hi @man715, thanks for checking out Endpoint Security.
Endpoint does have some overlap with various Beats (Packetbeat in this case) for what data type is collected from machines. However, the Endpoint and Beats do not share a code base and so they don't necessarily fill in the same data in every event, which is what you're seeing.
Overtime we'll work to close gaps like this. Its good to hear the type of data you feel is missing from Endpoint data. For the time being please consider Endpoint and Beats as complimentary products, neither is a replacement for the other.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.