I try to use ecs to standardize various logs from different applications. I don't always manage to find a field that suits the situation, especially when it comes to user authorization/authentication. I would like to provide an example of some logs and discuss whether it is possible to store some of the information in the standard ECS schema. Examples:
User s3 logged in via SSH with MFA enabled (true), using a web terminal named ko-ko.
user.name: s3
event.action: login
user.authentication.mfa: true (e)
user.authentication.count: 1 (e)
user.login.type: web-terminal (e)
user.login.terminal: ko-ko (e)
User s3 uploaded data to preferences-api with security settings.
user.name: s3
event.action: upload
label.resource.name: preferences-api (e)
label.resource.params: security (e)
User gen-ai used 5 commands to generate images. Output: "images1.png, images2.png will be generated."
user.name: gen-ai
user.session.command_count: 5 (e)
event.action: generate images
label.output: "images1.png, images2.png will be generated" (e)
Fields marked with (e) indicate that I did not find a suitable field in the standard ecs schema. Please share your experience if you have encountered storing this type of data or know a suitable field from the standard schema. Additionally, explain why you chose this particular field. I would appreciate your feedback.