My customers use CPE IDs (Common Platform Enumeration) quite a bit.
For operating systems, the CPE ID can be dismantled into fields for ECS pretty 1-to-1 if desired, but for applications, I don't see a similar object. "package" is kind of close, but seems very Linux specific.
What would be a best practice for storing CPE IDs in an ECS document?
Thanks for bringing this up! This may actually be a very useful source of information to help us plan further improvements in these areas. I'm still not satisfied with what we have for OS, actually (see this issue)
I'm actually not familiar with this information dictionary. Is there another resource that may help visualize these concepts, other than the 160Mb XML file?
I'll check with a few contributors if they could help us drive this discussion forward.
In the meantime, make sure you check the latest version (ECS 1.3+) of the package schema. I'd like to hear what you have in mind that's missing there, for Windows. Note that at this time, the idea for this field set is specifically around software package distribution systems, such as Chocolatey. It's not currently meant to capture information about software that's installed in different arbitrary ways (installer, zip, etc).
Is there another resource that may help visualize these concepts, other than the 160Mb XML file?
Yes. CPE is part of the US government's SCAP specifications along with CVE and CVSS - which are used in the ECS documentation. The CPE spec can be found here.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.