Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EQL: consistent naming for event type vs event category #52941

Closed
costin opened this issue Feb 28, 2020 · 7 comments
Closed

EQL: consistent naming for event type vs event category #52941

costin opened this issue Feb 28, 2020 · 7 comments
Assignees
@aleksmaus
Labels
:Analytics/EQL EQL querying

Comments

@costin
Copy link
Member

costin commented Feb 28, 2020
edited
Loading

EQL historically had used event_type to indicate the type for an event.
The decision has been made (#49634) to change this to event.category which is not just a simple name but also a slightly different structure, event being an object while category a sub-field.
Yet the request still uses event_type_field to allow overriding the event field.

The two need to be aligned, it's either category meaning event_category_field or type so there's event.type (instead of event.category).
@costin costin added the :Analytics/EQL EQL querying label Feb 28, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-search (:Search/EQL)

@costin
Copy link
Member Author

costin commented Feb 28, 2020

Pinging @tsg in case there's a preferred terminology used by SIEM.

@tsg
Copy link

tsg commented Feb 28, 2020

event.category matches best in my opinion, see the possible values here. I'd say it makes sense to switch the request setting to event_category_field, less confusing that way.

@costin
Copy link
Member Author

costin commented Mar 2, 2020

Thanks - what about timestamp, should it be @timestamp or timestamp (no leading @)?

@costin costin mentioned this issue Mar 2, 2020
Closed
@costin
Copy link
Member Author

costin commented Mar 2, 2020

@timestamp it is.

@tsg
Copy link

tsg commented Mar 3, 2020

Yeah, @timestamp is the ECS name so we should default to it.

@costin costin mentioned this issue Mar 3, 2020
Closed
@aleksmaus aleksmaus mentioned this issue Mar 3, 2020
Merged
aleksmaus added a commit that referenced this issue Mar 4, 2020
@aleksmaus
EQL: consistent naming for event type vs event category (#53073)
82c645e 
Related to #52941
aleksmaus added a commit to aleksmaus/elasticsearch that referenced this issue Mar 4, 2020
@aleksmaus
EQL: consistent naming for event type vs event category (elastic#53073)
b9eee85 
Related to elastic#52941
@aleksmaus aleksmaus mentioned this issue Mar 4, 2020
Merged
aleksmaus added a commit that referenced this issue Mar 4, 2020
@aleksmaus
EQL: consistent naming for event type vs event category (#53073) (#53090
b47bffb 
)

Related to #52941
@aleksmaus
Copy link
Contributor

Done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aleksmaus aleksmaus

Labels
:Analytics/EQL EQL querying
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@costin @tsg @aleksmaus @elasticmachine