Add event.zone and event.environment fields

[mbudge]

We have beats/elastic-agent collecting log data from many different regional offices, cloud environment's and third-party services.

We do zone tagging to make it easier for security analysts/IT select the metrics/logs in a specific zone. During triage of security alerts this also helps analysts know which IT team is responsible for the host/service which caused the security alert.

zone: the network zone the event was collected from
environment: the environment within the above network zone

zone can be a

country code like uk, us, ca, ky
cloud name like gcp, azure, oci or aws
for third-party services the zone is api or external

environment can be

prod
production
dev
development
non-prod
test
uat

Would the following fields be a good additions to ecs?

event.zone
event.environment

Examples of event.zone

event.zone:ca
event.zone:us
event.zone:uk
event.zone:gb
event.zone:ir
event.zone:sa
event.zone:aws
event.zone:gcp
event.zone:oci
event.zone:azure
event.zone:api
event.zone:external

examples of event.envrionment

event.environment:prod
event.environment:non-prod
event.environment:dev
event.environment:test
event.environment:uat

These fields would be set in the Fleet Policy settings.

[IanLee1521]

I personally like this idea, and came here looking for this same concept. Not entirely sure if event is the right top level, or if maybe something like network.zone might be better.

It might also be good to have say source.zone and destination.zone available for the zones involved in a network connection.

[mbudge]

Ah yes, ecs network is for both host and network events so network.zone and network.environment might be better.

[mbudge]

Another contender is

network.environment
network.zone
network.geo.* so we add network.geo.country_name and network.geo.city_name