We are working to lockdown elastic stack access to organizational units that own and operate services. To this end, I was hoping others in the community that must support ISO 27K can elaborate on how they capture organizational information relative to systems, applications, and services for the purposes of security.
I don't know if people try to use the doc_type attribute of log events to reflect this information or use completely custom attributes. Documentation simply describe doc_type as The type of the document the data will be indexed as.
I'd appreciate whatever insights and recommendations anyone has to offer!