Validating Elastic Common Schema (ECS) fields using Elastic Security detection rules

The Elastic Common Schema (ECS) provides an open, consistent model for structuring your data in the Elastic Stack. By normalizing data to a single common model, you can uniformly examine your data using interactive search, visualizations, and automated analysis.

Elastic provides hundreds of integrations that are ECS-compliant out of the box, but ECS also allows you to normalize custom data sources. Normalizing a custom source can be an iterative and sometimes time-intensive process. However, we can use the Elastic Security detection engine to help quickly identify ECS non-compliance in our events.

Getting up and running

First, let’s define ECS compliance. “ECS-compliant” describes indexed data that has adopted and aligns with the ECS requirements and guidelines. ECS-compliant events ensure the best possible experience from your data across the Elastic Stack and solutions.

If you’d like to experiment with any of the detection rules demonstrated here, the easiest way to get started is by signing up for a free Elastic Cloud trial. All of the sample detection rules covered here can be downloaded from this gist and imported into the detection engine.

Now let’s explore custom detection rules which will alert on ECS non-compliant events.

Missing fields

An ECS event should populate the ecs.version field. By having each event include the targeted ECS version, we know and understand what fields and data types to expect or not expect.

In this first example, detection alerts will be generated if the ecs.version field is missing from any event in the targeted indices:

1-ecs-check-blog-security-detection-rules.png

Shortly after activating the rule, alerts are generated for non-compliant events. With the details from the alerts, we can know exactly which data sources and events are non-compliant:

2-alerts-generated-blog-security-detection-rules.png

Beyond a single missing field, detections can also identify the absence of expected fields when others are present. For example, this next detection looks for an event that populates event.category: process but fails to populate some key process.* fields:

3-missing-key-blog-security-detection-rules.png

Taking a look at the generated alerts, we discover our source isn’t populating the process.pid field:

4-process-pid-field-blog-security-detection-rules.png

Allowed values

Data sources can populate the ECS categorization fields to describe and better classify each event. Populating each event with the proper fields and values ensures consistency to group related event types.

This next rule checks each event containing the event.category field is using a valid allowed value:

5-event-category-check-blog-security-detection-rules.png

Events with an invalid value for the event.category field are now generating alerts. In our example, event.category is set to use “auth” instead of the correct value, “authentication”. Now armed with this insight, we can turn our attention to correcting the problem instead of hunting for non-compliant events.

6-correcting-event-category-blog-security-detection-rules.png

Source and destination pairings

Not all events are network events, but when they are, they should always populate the source and destination as a pair. Given that our custom event source contains network events, here's a rule that ensures source and destination are both populated:

7-source-destination-populated-blog-security-detection-rules.png

After activating the new detection, the new detection alerts indicate the source.address field is not populated:

8-source-address-not-populated-blog-security-detection-rules.png

Breakdown fields

Some ECS fields can be populated by an ingest pipeline processor like user agent. When the original user_agent field runs through the user_agent ingest processor, the processor will parse and then populate data into the appropriate fields.

This last example looks for the expected field breakdown and will alert if an expected field is missing in an event:

9-breakdown-not-populated-blog-security-detection-rules.png

Alerts are created after the rule is activated. Digging into the alert, we confirm that the event is missing the user_agent.name field:

10-user-agent-name-field-blog-security-detection-rules.png

11-user-agent-device-blog-security-detection-rules.png

Summary

These examples are just starting points! With custom, ECS compliance-focused detections, the detection engine becomes another tool to continually improve and refine your data ingestion process. Just make sure these ECS detection rules don’t trigger a pager alert!

Ready to get started? Start your free 14-day trial (no credit card required). Or download our products, free, for your on-prem deployment.