Add host.domain field

[janniten]

I'm working with windows events 4741,4742 and 4743.
When mapping into ECS I realize that I need a field host.domain
I found also that host.domain is necessary when mapping certain Fortigate Logs

[webmat]

@elasticmachine, run elasticsearch-ci/docs

[neu5ron]

@janniten what specific windows/beats field name are referring to mapping to host.domain?
I want to make sure at the same time if we should add host.fqdn

@webmat this LGTM otherwise, definitely necessary.

[janniten]

Hi @neu5ron
Some examples of specific fields are in windows events 4741,4742 and 4743.
Those events are related to computer account management, i.e, computers as objects in an Active Directory structure.
The field winlog.data.TargetDomainName in these events represent the domain in which the computer account was created. This is an Active Directory Domain name diferent to a fqdn which is a DNS domain name.

As an analogy there exists the user.domain and group.domain which are populated in the same way when user or group account events are mapped.

[janniten]

I want to make sure at the same time if we should add host.fqdn
@neu5ron I think this could be necessary too.
My only doubt adding the host.domain is the different meaning that has with the server.domain
(in the case of server.domain, as Mathieu explained to me, means the DNS domain name)
Should be correct to have host.domain and server.domain which different meanings?

[webmat]

Yes now that we're fleshing out support for AD/LDAP domains (user, group, now host), perhaps this will create confusion vs DNS domain names (source, dest, client, server, url). We'll see if it becomes a problem, and we can adjust if that's the case.

But for now, let's confidently move forward ;-)

• Please add an example for the field
• I'd say let's not add fqdn just yet

Once we have the example in place, I think we can merge this. Thanks for your contribution!

Finally, this is unrelated to this PR specifically, but related to your work here and on elastic/beats#14299, I'd love to get your thoughts on #589, @janniten.

[janniten]

Hi @webmat
I have added the example in the host.yml (same domain Microsoft uses in their examples)
I'll take a look into the discussion in #589 and I'll leave my comments
Regards!

[webmat]

🤔 I expected this would look more like a domain name, actually.

I suppose it's something optional? Companies that run their domain 100% internal could name their domain CONTOSO, and if the company wanted to make this publicly accessible, it may be "contoso.net"?

Or was the .fqdn discussion meant to be about the FQDN of the domain controller? When I read it, I understood host.fqdn to be the fqdn of the host, which could in this case be "bob-laptop.CONTOSO"?

[webmat]

same domain Microsoft uses in their examples

Love the approach in any case :-)

[janniten]

Hi @webmat it is only a name (can be anything) that refers to an Active Directory Domain or Windows Domain.
It is not optional, always exists. If you do not have an AD the domain name in the event is the name of the local computer.
Users, Groups and Computers (and in general, objects within the domain) are referenced as domain_name\object-name.
In the case of bob's laptop the reference will be CONTOSO\bob-laptop or bob-laptop.CONTOSO
It is not related to domain name in the context of DNS nor with the fact that the domain permit the object will be publicly accessible.
Real domain name examples and user names

An old company I worked for (and doesn't exist anymore :) )
domain: NEXTEL_AR

My home local domain
TargetUserName Anna
TargetDomainName DESKTOP-4564S0K

Either is an Active Directory or an stand alone computer in a private network , Windows always asigns a domain name :)

[andrewkroh]

I think this is a good addition. I think the field documentation needs a small change.

[andrewkroh]

I would think this would read like:

"Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider."

[janniten]

Fixed!

[andrewkroh]

LGTM

[janniten]

@andrewkroh @webmat
I found that mapping event log's Computer Management Events to hosts.* will cause some inconsistencies.
For all events, the host.name field is filled with the host that is the source of the event. I think I cannot use the host.name in order to put the name of the computer name being created/deleted/modified.
Instead of that maybe we can introduce some winlog especifc fields in order to map those fields
I propose these ones:
winlog.event_data.TargetSid -> winlog.computer.id
winlog.event_data.TargetUserName -> winlog.computer.name
winlog.event_data.TargetDomainName -> winlog.computer.domain

What do you think?
Thank You

[andrewkroh]

@janniten I think the issue you describe relates to #589. While that issue is about multiple users (source and target) I think the concept of a "target" (or whatever we call it) should expand to include a target machine.

I think this PR is good to merge. @webmat agree?

[webmat]

Yes this is good to go, thanks for your contribution, @janniten :-)