ECS defines a top-level rule object property, with a number of fields that correspond to Kibana alerting rules:
rule.author - the rule updatedBy fieldrule.id - the rule saved object idrule.license - alert type license, basic, gold, etcrule.name - the rule name fieldrule.reference - url to the help page for the alert type
Some are less clear how they would relate:
rule.descriptionrule.category - could be producer, perhapsrule.ruleset - could be producer, perhapsrule.uuid - maybe this would be spaceId + id, or switch the values with rule.id (it would have spaceId)rule.version - could be stack version, and could perhaps also be a constant_keyword in our event log indices since we create new indices for every stack version
The one missing bit of info is the spaceId, which we could perhaps force into rule.ruleset or rule.category, but those aren't great fits. We'd probably want something like a rule.namespace: keyword sort of field added.
As a secondary item, there is a event.kind field that we can populate with alert - https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-kind . Related is event.category - almost smells like this could be the producer value to me.
FWIW, at the time we created the event log, I don't believe the rule properties existed, and the valid values for event.kind, and it's relation to event.category (secondary to event.kind) had been specified.
ECS defines a top-level
ruleobject property, with a number of fields that correspond to Kibana alerting rules:rule.author- the ruleupdatedByfieldrule.id- the rule saved object idrule.license- alert type license, basic, gold, etcrule.name- the rulenamefieldrule.reference- url to the help page for the alert typeSome are less clear how they would relate:
rule.descriptionrule.category- could be producer, perhapsrule.ruleset- could be producer, perhapsrule.uuid- maybe this would be spaceId + id, or switch the values withrule.id(it would have spaceId)rule.version- could be stack version, and could perhaps also be aconstant_keywordin our event log indices since we create new indices for every stack versionThe one missing bit of info is the spaceId, which we could perhaps force into
rule.rulesetorrule.category, but those aren't great fits. We'd probably want something like arule.namespace: keywordsort of field added.As a secondary item, there is a
event.kindfield that we can populate withalert- https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-kind . Related isevent.category- almost smells like this could be theproducervalue to me.FWIW, at the time we created the event log, I don't believe the
ruleproperties existed, and the valid values forevent.kind, and it's relation toevent.category(secondary toevent.kind) had been specified.