Filebeat Cisco AMP Module and host.name Error

The discussion around host.hostname and host.name is a hard one, since in theory they can both be the same. I know there is some ongoing ECS discussions around that subject.

I will take a look tomorrow to see if there is a inconsistency between this one and the other security related modules.

For user.name, are you talking about the SIEM dashboards or specific custom dashboards? I think its usually either source/destination/host.user, but I can give that a check as well, will note down the feedback and make sure I will give it a lookover :slight_smile:

In the meantime you would unfortunately have to either modify the ingest pipeline, or setup a override pipeline on your specific index: Index modules | Elasticsearch Reference [master] | Elastic

For the user name, Winlogbeat and Auditbeat events utilize user.name, so I also continued with that theme for our custom sources. I was talking about custom dashboards we have that give high level views of user or computer activity. If you click a user.name field, or a computer.name field from anywhere in the platform, it takes you to a dashboard that shows activity for that specific user or computer from all our event sources (AD, A/V, DLP, NGFW, IDS, etc.). Standardizing host.name and user.name is necessary for that sort of correlation to work properly.

Thank you, @Marius_Iversen ! I appreciate your insight and help with this. As you mentioned, I will just tweak the pipeline a bit for now. :slight_smile: :+1:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.