Our Windows integration (and winlogbeat modules) includes a 'Forwarded' data stream which supports Windows Event Forwarding, i.e. send Windows events from multiple Windows machines to a single machine. Some of our detection rules relies on the host.os.type field to be populated, but the Forwarded pipelines don't map to this field.
While we can't gather all the os information from the source machines, we know that Windows Event Forwarding only supports Windows events, and therefore it's safe to set host.os.type and host.os.family to windows for all forwarded events.
Can we hardcode the values in our forwarded pipelines, in both the agent integration and the beats module?
Our Windows integration (and winlogbeat modules) includes a 'Forwarded' data stream which supports Windows Event Forwarding, i.e. send Windows events from multiple Windows machines to a single machine. Some of our detection rules relies on the
host.os.typefield to be populated, but the Forwarded pipelines don't map to this field.While we can't gather all the os information from the source machines, we know that Windows Event Forwarding only supports Windows events, and therefore it's safe to set
host.os.typeandhost.os.familytowindowsfor all forwarded events.Can we hardcode the values in our forwarded pipelines, in both the agent integration and the beats module?