The discussion around host.hostname and host.name is a hard one, since in theory they can both be the same. I know there is some ongoing ECS discussions around that subject.
I will take a look tomorrow to see if there is a inconsistency between this one and the other security related modules.
For user.name, are you talking about the SIEM dashboards or specific custom dashboards? I think its usually either source/destination/host.user, but I can give that a check as well, will note down the feedback and make sure I will give it a lookover
For the user name, Winlogbeat and Auditbeat events utilize user.name, so I also continued with that theme for our custom sources. I was talking about custom dashboards we have that give high level views of user or computer activity. If you click a user.name field, or a computer.name field from anywhere in the platform, it takes you to a dashboard that shows activity for that specific user or computer from all our event sources (AD, A/V, DLP, NGFW, IDS, etc.). Standardizing host.name and user.name is necessary for that sort of correlation to work properly.
Thank you, @Marius_Iversen ! I appreciate your insight and help with this. As you mentioned, I will just tweak the pipeline a bit for now.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.