I have some questions regarding the security module.
Using the processor.Convert() the mapping between windows event data into ECS is done by renaming fields.
I have some doubts regarding to the behavior
- When the original field is exists, but it is null, the destination ECS field is not is not created
As an example, some instances of event 4625
winlog.event_data.IpAddress exists for all document but source.ip is only populated when winlog.event_data.IpAddress is not null.
Is this the expected behavior? If yes:
Does exists a way to, event when winlog.event_data.IpAddress assing a default or dummy value to the populated field in ECS?
In this way I can perform allways agregations using the field source.ip; if do not exist I can use for some events 4625 but not for all.
Does it better to have "dense" documents? I mean, similar documents ( documents corresponding to event.code 4625) to have all the same fields with data?
Thank you very much