diff --git a/rfcs/text/0000-data-source-categorization-fields.md b/rfcs/text/0000-data-source-categorization-fields.md new file mode 100644 index 0000000000..a8443bb4c3 --- /dev/null +++ b/rfcs/text/0000-data-source-categorization-fields.md @@ -0,0 +1,75 @@ +# 0000: Data Source Categorization Fields + + +- Stage: **0 (strawperson)** +- Date: **August 26 2020** + + + + + +Elastic currently supports ingestion of data from 180+ sources, and growing. However, we do not have a coherent way to categorise these sources. This has resulted in a disconnect in how we categorize these sources from the Elastic website, in-product experiences and ECS. + +The fieldset we use to describe the data source is up for discussion, data_stream.category is a possibility. Here are proposed allowed values: + +- apm +- application +- audit +- CASB +- cloud +- collaboration +- Config Management +- containers +- CRM +- datastore +- EDR +- email +- firewall +- Identity and access management +- IDS/IPS +- Operating System +- orchestration +- productivity +- proxy +- message queue +- security +- storage +- threat intelligence +- ticketing +- VPN +- vulnerability scanner +- Web server + +## Usage +Categorization fields in ECS can govern how we categorize these data source, but only a limited set of event.category values are supported by the schema today. The event categorisation fields are catered to individual events, but don't categorise the data source. Expanding the values we support, allows us to align the user experience from ECS, Ingest Manager and the Elastic Website (elastic.co/integrations). Some additional context here: #845 (comment). + +These categories could also be used to categorise detection rules, to map data sources to corresponding rules. This would improve our onboarding experience by suggesting detection rules to users based on the sources they are ingesting data from. + + +## People + +The following are the people that consulted on the contents of this RFC. + +* @jamiehynds | author +* @exekias | sponsor + +## References + +* https://github.com/elastic/ecs/issues/901 +* https://github.com/elastic/ecs/pull/845 + +### RFC Pull Requests + + + +* Stage 0: https://github.com/elastic/ecs/pull/958 + +