Add ECS field normalization

elastic · May 13, 2020 · e0682df · e0682df
1 parent bcf0872
commit e0682df
Show file tree

Hide file tree

Showing 4 changed files with 1,150 additions and 736 deletions.
diff --git a/aucoalesce/coalesce.go b/aucoalesce/coalesce.go
@@ -34,6 +34,12 @@ import (
 // package does not have a constant defined for this.
 const modeBlockDevice = 060000
 
+// ECSEvent contains ECS-specific categorization fields
+type ECSEvent struct {
+	Category []string `json:"category,omitempty" yaml:"category,omitempty"`
+	Type     []string `json:"type,omitempty" yaml:"type,omitempty"`
+}
+
 type Event struct {
 	Timestamp time.Time                `json:"@timestamp"       yaml:"timestamp"`
 	Sequence  uint32                   `json:"sequence"         yaml:"sequence"`
@@ -54,6 +60,10 @@ type Event struct {
 	Data  map[string]string   `json:"data,omitempty"  yaml:"data,omitempty"`
 	Paths []map[string]string `json:"paths,omitempty" yaml:"paths,omitempty"`
 
+	ECS struct {
+		Event ECSEvent `json:"event" yaml:"event"`
+	} `json:"ecs" yaml:"ecs"`
+
 	Warnings []error `json:"-" yaml:"-"`
 }
 
@@ -454,6 +464,9 @@ func applyNormalization(event *Event) {
 		return
 	}
 
+	event.ECS.Event.Category = norm.ECS.Category.Values
+	event.ECS.Event.Type = norm.ECS.Type.Values
+
 	event.Summary.Action = norm.Action
 
 	switch norm.Object.What {