Improve documentation to ensure source/destination are populated as a priority

[webmat]

The definition of the Client & Server field sets are pretty extensive, whereas Source & Destination's definitions are pretty bare.

We've been encouraging people to populate source & destination as a baseline, and client & server only when relevant or helpful. Elastic Security mostly considers source & destination.

However the ECS documentation doesn't make that obvious. There's only a vague mention about prioritizing source/destination in the client/server definitions. No mention of this in source/destination.

• Expand definitions of source and destination field sets #967 We should expand the definitions of the source & destination field sets to clearly state that they are the baseline, compared to client & server.
• Add mapping network event guidance doc #969 We could also consider having a standalone documentation page that talks about capturing network related events holistically. It could cover:
  • the src/dst baseline, and showcase when cli/srv are useful (e.g. DNS)
  • it could discuss populating the network.* fields
  • it could discuss how event.category:network + event.type:protocol should always come with network.protocol:[appropriate protocol name]. Most category/type pairs are complete on their own. But not the pair network/protocol; it should come with network.protocol.

[ebeahan]

We could also consider having a standalone documentation page that talks about capturing network related events holistically

++ I think this makes a lot of sense to capture this and in the future other ECS design patterns.

[ghost]

Thank you for raising this!

[ebeahan]

@jamesmotherway I've opened #967 aiming to address the first bullet point, if you have any feedback there.

[ebeahan]

Closing as #967 and #969 have both been merged 🎉