Let's say you have some logstash module or Ruby configuration that cleans up / parses / etc. logs, and it comes across something that would be illegal (Eg. illegal UTF-8 encoding sequence which if it were not sanitized could threaten the pipeline).
Obviously you would need to clean this up, but from a security point of a view (ie. as a SIEM) you would want to know that this has been done and that this (eg. web access log) signified something noteworthy. If I were to merely fix up the request (eg. by replacing the illegal encoding sequence with a Unicode replacement character) that would remove visibility of what was special about this request.
So what I want to know is this:
- What is a good way of safely showing the true nature of the request?
- How (preferably in an ECS compliant way) should I signify that this request is highly suspect? ECS doesn't seem to offer any guidance on tags, from what I can see.
I don't think it would be appropriate to use the ECS error.* fields, because I'm not saying that the log entry describes an error event... possibly the the threat.* fields might be useful, but I didn't see anything that seemed to match (tactics, techniques in the Mitre ATT&CK framework).
What I want to end up happening is that if I send this to Elasticsearch I want the SIEM product etc. to have a good chance of recognising that this log indicates something of concern and should probably boost any threat evaluation.
Cheers,
Cameron