From 064cdee3625b75f020530911e41089390cba77d0 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 9 Feb 2022 14:02:02 -0600 Subject: [PATCH] Restructure `usage-examples` ES generated artifacts (#1762) * restructure generated dir structure * update the example version to use 8.x * cleanup usage-example es generated artifacts * make dir structure in example command consistent * drop -dev * changelog entry --- CHANGELOG.next.md | 2 +- usage-example/README.md | 14 +- usage-example/generated/beats/fields.ecs.yml | 524 ++++++-- usage-example/generated/csv/fields.csv | 488 +++---- usage-example/generated/ecs/ecs_flat.yml | 663 ++++++++-- usage-example/generated/ecs/ecs_nested.yml | 738 +++++++++-- .../ecs/subset/web_logs/ecs_flat.yml | 663 ++++++++-- .../ecs/subset/web_logs/ecs_nested.yml | 738 +++++++++-- .../generated/elasticsearch/6/template.json | 1158 ----------------- .../composable/component/acme.json | 23 + .../composable/component/agent.json | 44 + .../composable/component/base.json | 25 + .../composable/component/client.json | 187 +++ .../composable/component/destination.json | 187 +++ .../composable/component/ecs.json | 20 + .../composable/component/event.json | 112 ++ .../composable/component/http.json | 87 ++ .../composable/component/network.json | 86 ++ .../composable/component/related.json | 23 + .../composable/component/server.json | 187 +++ .../composable/component/source.json | 187 +++ .../composable/component/url.json | 78 ++ .../composable/component/user.json | 25 + .../composable/component/user_agent.json | 83 ++ .../elasticsearch/composable/template.json | 62 + .../elasticsearch/{7 => legacy}/template.json | 169 ++- 26 files changed, 4491 insertions(+), 2082 deletions(-) delete mode 100644 usage-example/generated/elasticsearch/6/template.json create mode 100644 usage-example/generated/elasticsearch/composable/component/acme.json create mode 100644 usage-example/generated/elasticsearch/composable/component/agent.json create mode 100644 usage-example/generated/elasticsearch/composable/component/base.json create mode 100644 usage-example/generated/elasticsearch/composable/component/client.json create mode 100644 usage-example/generated/elasticsearch/composable/component/destination.json create mode 100644 usage-example/generated/elasticsearch/composable/component/ecs.json create mode 100644 usage-example/generated/elasticsearch/composable/component/event.json create mode 100644 usage-example/generated/elasticsearch/composable/component/http.json create mode 100644 usage-example/generated/elasticsearch/composable/component/network.json create mode 100644 usage-example/generated/elasticsearch/composable/component/related.json create mode 100644 usage-example/generated/elasticsearch/composable/component/server.json create mode 100644 usage-example/generated/elasticsearch/composable/component/source.json create mode 100644 usage-example/generated/elasticsearch/composable/component/url.json create mode 100644 usage-example/generated/elasticsearch/composable/component/user.json create mode 100644 usage-example/generated/elasticsearch/composable/component/user_agent.json create mode 100644 usage-example/generated/elasticsearch/composable/template.json rename usage-example/generated/elasticsearch/{7 => legacy}/template.json (88%) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index feb385ca05..945f376775 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -121,7 +121,7 @@ Thanks, you're awesome :-) --> * Removing use-cases directory #1405 * Remove Go code generator. #1567 * Remove template generation for ES6. #1680 -* Update folder structure for generated ES artifacts. #1700 +* Update folder structure for generated ES artifacts. #1700, #1762 * Updated support for overridable composable settings template. #1737 #### Improvements diff --git a/usage-example/README.md b/usage-example/README.md index 175ffeab58..cb17a6c238 100644 --- a/usage-example/README.md +++ b/usage-example/README.md @@ -8,13 +8,13 @@ the `generated` directory contains the files generated by running the following command from the root of the ECS repository: ```bash -python scripts/generator.py --ref v1.6.0 \ - --subset usage-example/fields/subset.yml \ - --include usage-example/fields/custom/ \ - --out usage-example/ \ - --template-settings-legacy ../my-project/fields/template-settings-legacy.json \ - --template-settings ../my-project/fields/template-settings.json \ - --mapping-settings usage-example/fields/mapping-settings.json +python scripts/generator.py --ref v8.0.0 \ + --subset usage-example/fields/subset.yml \ + --include usage-example/fields/custom/ \ + --out usage-example/ \ + --template-settings-legacy usage-example/fields/template-settings-legacy.json \ + --template-settings usage-example/fields/template-settings.json \ + --mapping-settings usage-example/fields/mapping-settings.json ``` Refer back to [USAGE.md](../USAGE.md) for the documentation on each of these flags. diff --git a/usage-example/generated/beats/fields.ecs.yml b/usage-example/generated/beats/fields.ecs.yml index 24e320ec4b..2f2b8f5159 100644 --- a/usage-example/generated/beats/fields.ecs.yml +++ b/usage-example/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.6.0. +# based on ECS version 8.0.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -20,6 +20,7 @@ Required field for all events.' example: '2016-05-23T08:05:34.853Z' + default_field: true - name: labels level: core type: object @@ -31,9 +32,10 @@ Example: `docker` and `k8s` labels.' example: '{"application": "foo-bar", "env": "production"}' + default_field: true - name: message level: core - type: text + type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. @@ -42,17 +44,20 @@ If multiple messages exist, they can be combined into one message.' example: Hello World + default_field: true - name: tags level: core type: keyword ignore_above: 1024 description: List of keywords used to tag each event. example: '["production", "env2"]' + default_field: true - name: acme title: ACME group: 2 description: Acme Inc. custom fields type: group + default_field: true fields: - name: account.id level: custom @@ -75,6 +80,7 @@ not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group + default_field: true fields: - name: build.original level: core @@ -150,6 +156,7 @@ in that category, you should still ensure that source and destination are filled appropriately.' type: group + default_field: true fields: - name: address level: extended @@ -173,8 +180,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. example: Google LLC @@ -188,13 +194,25 @@ level: core type: keyword ignore_above: 1024 - description: Client domain. + description: 'The domain name of the client system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -230,6 +248,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -242,6 +270,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -250,7 +285,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -288,6 +329,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -318,8 +373,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -354,17 +408,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user.roles level: extended type: keyword @@ -375,10 +429,17 @@ - name: destination title: Destination group: 2 - description: 'Destination fields describe details about the destination of a packet/event. - - Destination fields are usually populated in conjunction with source fields.' + description: 'Destination fields capture details about the receiver of a network + exchange/packet. These fields are populated from a network event, packet, or + other event containing details of a network transaction. + + Destination fields are usually populated in conjunction with source fields. + The source and destination fields are considered the baseline and should always + be filled if an event contains source and destination details from a network + transaction. If the event also contains identification of the client and server + roles, then the client and server fields should also be populated.' type: group + default_field: true fields: - name: address level: extended @@ -402,8 +463,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. example: Google LLC @@ -417,13 +477,25 @@ level: core type: keyword ignore_above: 1024 - description: Destination domain. + description: 'The domain name of the destination system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -459,6 +531,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -471,6 +553,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -479,7 +568,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -516,6 +611,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -546,8 +655,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -582,17 +690,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user.roles level: extended type: keyword @@ -605,6 +713,7 @@ group: 2 description: Meta-information specific to ECS. type: group + default_field: true fields: - name: version level: core @@ -634,6 +743,7 @@ temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group + default_field: true fields: - name: action level: core @@ -645,6 +755,37 @@ Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change + - name: agent_id_status + level: extended + type: keyword + ignore_above: 1024 + description: 'Agents are normally responsible for populating the `agent.id` + field value. If the system receiving events is capable of validating the value + based on authentication information for the client then this field can be + used to reflect the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the + client cert contains the ID of the agent to which the cert was issued then + the `agent.id` value in events can be checked against the certificate. If + the values match then `event.agent_id_status: verified` is added to the event, + otherwise one of the other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from + auth metadata. + + `mismatch` - The `agent.id` field value does not match the expected value + obtained from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + default_field: false - name: category level: core type: keyword @@ -770,14 +911,17 @@ - name: original level: core type: keyword - ignore_above: 1024 - description: 'Raw text message of entire event. Used to demonstrate log integrity. + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may + be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, please see `Field data types` in the `Elasticsearch Reference`.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 index: false + doc_values: false - name: outcome level: core type: keyword @@ -831,7 +975,7 @@ ignore_above: 1024 description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 default_field: false @@ -917,6 +1061,7 @@ description: Fields related to HTTP activity. Use the `url` field set to store the url of the request. type: group + default_field: true fields: - name: request.body.bytes level: extended @@ -926,12 +1071,10 @@ example: 887 - name: request.body.content level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: The full HTTP request body. example: Hello world @@ -941,20 +1084,38 @@ format: bytes description: Total size in bytes of the request (body and headers). example: 1437 + - name: request.id + level: extended + type: keyword + ignore_above: 1024 + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + default_field: false - name: request.method level: extended type: keyword ignore_above: 1024 description: 'HTTP request method. - Prior to ECS 1.6.0 the following guidance was provided: - - "The field value must be normalized to lowercase for querying." + The value should retain its casing from the original event. For example, `GET`, + `get`, and `GeT` are all considered valid values for this field.' + example: POST + - name: request.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: 'Mime type of the body of the request. - As of ECS 1.6.0, the guidance is deprecated because the original case of the - method may be useful in anomaly detection. Original case will be mandated - in ECS 2.0.0' - example: GET, POST, PUT, PoST + This value must only be populated based on the content of the request body, + not on the `Content-Type` header. Comparing the mime type of a request with + the request''s Content-Type header can be helpful in detecting threats or + misconfigured clients.' + example: image/gif + default_field: false - name: request.referrer level: extended type: keyword @@ -969,12 +1130,10 @@ example: 887 - name: response.body.content level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: The full HTTP response body. example: Hello world @@ -984,6 +1143,18 @@ format: bytes description: Total size in bytes of the response (body and headers). example: 1437 + - name: response.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, + not on the `Content-Type` header. Comparing the mime type of a response with + the response''s Content-Type header can be helpful in detecting misconfigured + servers.' + example: image/gif + default_field: false - name: response.status_code level: extended type: long @@ -1005,19 +1176,21 @@ The network.* fields should be populated with details about the network activity associated with an event.' type: group + default_field: true fields: - name: application level: extended type: keyword ignore_above: 1024 - description: 'A name given to an application level protocol. This can be arbitrarily - assigned for things like microservices, but also apply to things like skype, - icq, facebook, twitter. This would be used in situations where the vendor - or service can be decoded such as from the source/dest IP owners, ports, or - wire format. + description: 'When a specific application or service is identified from network + connection details (source/dest IPs, ports, certificates, or wire format), + this field captures the application''s or service''s name. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + For example, the original event identifies the network connection being from + a specific web service in a `https` network connection, like `facebook` or + `twitter`. + + The field value must be normalized to lowercase for querying.' example: aim - name: bytes level: core @@ -1043,11 +1216,17 @@ type: keyword ignore_above: 1024 description: "Direction of the network traffic.\nRecommended values are:\n \ - \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ - \ mapping events from a host-based monitoring context, populate this field\ - \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ - \ monitoring context, populate this field from the point of view of your network\ - \ perimeter." + \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ + \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ + \ populate this field from the host's point of view, using the values \"ingress\"\ + \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ + \ context, populate this field from the point of view of the network perimeter,\ + \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ + .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ + \ to describe communication between two hosts within the perimeter. Note also\ + \ that \"external\" is meant to describe traffic between two hosts that are\ + \ external to the perimeter. This could for example be useful for ISPs or\ + \ VPN service providers." example: inbound - name: forwarded_ip level: core @@ -1066,8 +1245,8 @@ level: extended type: object description: Network.inner fields are added in addition to network.vlan fields - to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed - fields include vlan.id and vlan.name. Inner vlan fields are typically used + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) default_field: false @@ -1103,10 +1282,10 @@ level: core type: keyword ignore_above: 1024 - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + description: 'In the OSI Model this would be the Application Layer protocol. + For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: http - name: transport level: core @@ -1115,8 +1294,7 @@ description: 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: tcp - name: type level: core @@ -1125,8 +1303,7 @@ description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: ipv4 - name: vlan.id level: extended @@ -1157,6 +1334,7 @@ to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.' type: group + default_field: true fields: - name: ip level: extended @@ -1166,7 +1344,7 @@ level: extended type: keyword ignore_above: 1024 - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. default_field: false - name: server title: Server @@ -1187,6 +1365,7 @@ in that category, you should still ensure that source and destination are filled appropriately.' type: group + default_field: true fields: - name: address level: extended @@ -1210,8 +1389,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. example: Google LLC @@ -1225,13 +1403,25 @@ level: core type: keyword ignore_above: 1024 - description: Server domain. + description: 'The domain name of the server system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -1267,6 +1457,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -1279,6 +1479,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -1287,7 +1494,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -1325,6 +1538,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -1355,8 +1582,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -1391,17 +1617,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user.roles level: extended type: keyword @@ -1412,10 +1638,17 @@ - name: source title: Source group: 2 - description: 'Source fields describe details about the source of a packet/event. - - Source fields are usually populated in conjunction with destination fields.' + description: 'Source fields capture details about the sender of a network exchange/packet. + These fields are populated from a network event, packet, or other event containing + details of a network transaction. + + Source fields are usually populated in conjunction with destination fields. + The source and destination fields are considered the baseline and should always + be filled if an event contains source and destination details from a network + transaction. If the event also contains identification of the client and server + roles, then the client and server fields should also be populated.' type: group + default_field: true fields: - name: address level: extended @@ -1439,8 +1672,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. example: Google LLC @@ -1454,13 +1686,25 @@ level: core type: keyword ignore_above: 1024 - description: Source domain. + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -1496,6 +1740,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -1508,6 +1762,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -1516,7 +1777,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -1554,6 +1821,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -1584,8 +1865,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -1620,17 +1900,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user.roles level: extended type: keyword @@ -1644,6 +1924,7 @@ description: URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. type: group + default_field: true fields: - name: domain level: extended @@ -1652,19 +1933,26 @@ description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co - name: extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request - url. + url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended @@ -1675,12 +1963,10 @@ The `#` is not part of the fragment.' - name: full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event @@ -1688,12 +1974,10 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: 'Unmodified original url as seen in the event source. @@ -1709,8 +1993,7 @@ description: Password of the request. - name: path level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Path of the request, such as "/search". - name: port level: extended @@ -1749,6 +2032,20 @@ Note: The `:` is not part of the scheme.' example: https + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -1775,6 +2072,7 @@ Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group + default_field: true fields: - name: name level: core @@ -1782,11 +2080,10 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user_agent title: User agent group: 2 @@ -1794,6 +2091,7 @@ They often show up in web service logs coming from the parsed user agent string.' type: group + default_field: true fields: - name: device.name level: extended @@ -1813,8 +2111,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -1830,8 +2127,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -1847,8 +2143,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, without the version. example: Mac OS X @@ -1858,6 +2153,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/usage-example/generated/csv/fields.csv b/usage-example/generated/csv/fields.csv index 8eb4127a49..2a2a52544a 100644 --- a/usage-example/generated/csv/fields.csv +++ b/usage-example/generated/csv/fields.csv @@ -1,234 +1,256 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -1.6.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.6.0,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -1.6.0,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -1.6.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.6.0,true,acme,acme.account.id,keyword,custom,,,Customer account for this activity. -1.6.0,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -1.6.0,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -1.6.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -1.6.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -1.6.0,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -1.6.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -1.6.0,true,client,client.address,keyword,extended,,,Client network address. -1.6.0,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.6.0,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.6.0,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.6.0,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.6.0,true,client,client.domain,keyword,core,,,Client domain. -1.6.0,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -1.6.0,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -1.6.0,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0,true,client,client.ip,ip,core,,,IP address of the client. -1.6.0,true,client,client.mac,keyword,core,,,MAC address of the client. -1.6.0,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -1.6.0,true,client,client.nat.port,long,extended,,,Client NAT port -1.6.0,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -1.6.0,true,client,client.port,long,core,,,Port of the client. -1.6.0,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -1.6.0,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0,true,client,client.user.email,keyword,extended,,,User email address. -1.6.0,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0,true,client,client.user.group.name,keyword,extended,,,Name of the group. -1.6.0,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.6.0,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. -1.6.0,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -1.6.0,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0,true,destination,destination.address,keyword,extended,,,Destination network address. -1.6.0,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.6.0,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.6.0,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.6.0,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.6.0,true,destination,destination.domain,keyword,core,,,Destination domain. -1.6.0,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -1.6.0,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -1.6.0,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.6.0,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -1.6.0,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -1.6.0,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -1.6.0,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -1.6.0,true,destination,destination.port,long,core,,,Port of the destination. -1.6.0,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -1.6.0,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0,true,destination,destination.user.email,keyword,extended,,,User email address. -1.6.0,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -1.6.0,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.6.0,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. -1.6.0,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.6.0,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -1.6.0,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -1.6.0,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.6.0,true,event,event.code,keyword,extended,,4648,Identification code for this event. -1.6.0,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.6.0,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -1.6.0,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -1.6.0,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.6.0,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.6.0,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.6.0,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.6.0,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.6.0,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.6.0,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.6.0,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.6.0,true,event,event.provider,keyword,extended,,kernel,Source of the event. -1.6.0,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.6.0,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.6.0,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.6.0,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.6.0,true,event,event.sequence,long,extended,,,Sequence number of the event. -1.6.0,true,event,event.severity,long,core,,7,Numeric severity of the event. -1.6.0,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.6.0,true,event,event.timezone,keyword,extended,,,Event time zone. -1.6.0,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.6.0,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.6.0,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.6.0,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. -1.6.0,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -1.6.0,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -1.6.0,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -1.6.0,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. -1.6.0,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.6.0,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. -1.6.0,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -1.6.0,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -1.6.0,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -1.6.0,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.6.0,true,network,network.application,keyword,extended,,aim,Application level protocol name. -1.6.0,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -1.6.0,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.6.0,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -1.6.0,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -1.6.0,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -1.6.0,true,network,network.inner,object,extended,,,Inner VLAN tag information -1.6.0,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.6.0,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.6.0,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -1.6.0,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -1.6.0,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -1.6.0,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -1.6.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.6.0,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.6.0,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.6.0,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.6.0,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.6.0,true,server,server.address,keyword,extended,,,Server network address. -1.6.0,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.6.0,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.6.0,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.6.0,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.6.0,true,server,server.domain,keyword,core,,,Server domain. -1.6.0,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -1.6.0,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -1.6.0,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0,true,server,server.ip,ip,core,,,IP address of the server. -1.6.0,true,server,server.mac,keyword,core,,,MAC address of the server. -1.6.0,true,server,server.nat.ip,ip,extended,,,Server NAT ip -1.6.0,true,server,server.nat.port,long,extended,,,Server NAT port -1.6.0,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -1.6.0,true,server,server.port,long,core,,,Port of the server. -1.6.0,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -1.6.0,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0,true,server,server.user.email,keyword,extended,,,User email address. -1.6.0,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0,true,server,server.user.group.name,keyword,extended,,,Name of the group. -1.6.0,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.6.0,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. -1.6.0,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -1.6.0,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0,true,source,source.address,keyword,extended,,,Source network address. -1.6.0,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.6.0,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.6.0,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.6.0,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.6.0,true,source,source.domain,keyword,core,,,Source domain. -1.6.0,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -1.6.0,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -1.6.0,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0,true,source,source.ip,ip,core,,,IP address of the source. -1.6.0,true,source,source.mac,keyword,core,,,MAC address of the source. -1.6.0,true,source,source.nat.ip,ip,extended,,,Source NAT ip -1.6.0,true,source,source.nat.port,long,extended,,,Source NAT port -1.6.0,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -1.6.0,true,source,source.port,long,core,,,Port of the source. -1.6.0,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -1.6.0,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0,true,source,source.user.email,keyword,extended,,,User email address. -1.6.0,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0,true,source,source.user.group.name,keyword,extended,,,Name of the group. -1.6.0,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.6.0,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. -1.6.0,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -1.6.0,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. -1.6.0,true,url,url.extension,keyword,extended,,png,File extension from the original request url. -1.6.0,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.6.0,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.6.0,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.6.0,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.6.0,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.6.0,true,url,url.password,keyword,extended,,,Password of the request. -1.6.0,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." -1.6.0,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -1.6.0,true,url,url.query,keyword,extended,,,Query string of the request. -1.6.0,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.6.0,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -1.6.0,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0,true,url,url.username,keyword,extended,,,Username of the request. -1.6.0,true,user,user.name,keyword,core,,albert,Short name or login of the user. -1.6.0,true,user,user.name.text,text,core,,albert,Short name or login of the user. -1.6.0,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -1.6.0,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.6.0,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.6.0,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.6.0,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.6.0,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.6.0,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.6.0,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.6.0,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.6.0,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.6.0,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.6.0,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.6.0,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +8.0.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +8.0.0,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +8.0.0,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer. +8.0.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +8.0.0,true,acme,acme.account.id,keyword,custom,,,Customer account for this activity. +8.0.0,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +8.0.0,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +8.0.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +8.0.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +8.0.0,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +8.0.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +8.0.0,true,client,client.address,keyword,extended,,,Client network address. +8.0.0,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.0.0,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.0.0,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +8.0.0,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +8.0.0,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. +8.0.0,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +8.0.0,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. +8.0.0,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +8.0.0,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.0.0,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +8.0.0,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.0.0,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.0.0,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. +8.0.0,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.0.0,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +8.0.0,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.0.0,true,client,client.ip,ip,core,,,IP address of the client. +8.0.0,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. +8.0.0,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +8.0.0,true,client,client.nat.port,long,extended,,,Client NAT port +8.0.0,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +8.0.0,true,client,client.port,long,core,,,Port of the client. +8.0.0,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +8.0.0,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +8.0.0,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.0.0,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +8.0.0,true,client,client.user.email,keyword,extended,,,User email address. +8.0.0,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.0.0,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +8.0.0,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.0.0,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.0.0,true,client,client.user.group.name,keyword,extended,,,Name of the group. +8.0.0,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.0.0,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.0.0,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.0.0,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +8.0.0,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.0.0,true,destination,destination.address,keyword,extended,,,Destination network address. +8.0.0,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.0.0,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.0.0,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +8.0.0,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +8.0.0,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. +8.0.0,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +8.0.0,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. +8.0.0,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +8.0.0,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.0.0,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +8.0.0,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.0.0,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.0.0,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. +8.0.0,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.0.0,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +8.0.0,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.0.0,true,destination,destination.ip,ip,core,,,IP address of the destination. +8.0.0,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. +8.0.0,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +8.0.0,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +8.0.0,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +8.0.0,true,destination,destination.port,long,core,,,Port of the destination. +8.0.0,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +8.0.0,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +8.0.0,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.0.0,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +8.0.0,true,destination,destination.user.email,keyword,extended,,,User email address. +8.0.0,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.0.0,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +8.0.0,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.0.0,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.0.0,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +8.0.0,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.0.0,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.0.0,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.0.0,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +8.0.0,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.0.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +8.0.0,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +8.0.0,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. +8.0.0,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +8.0.0,true,event,event.code,keyword,extended,,4648,Identification code for this event. +8.0.0,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +8.0.0,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +8.0.0,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +8.0.0,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +8.0.0,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +8.0.0,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +8.0.0,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +8.0.0,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +8.0.0,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +8.0.0,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +8.0.0,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +8.0.0,true,event,event.provider,keyword,extended,,kernel,Source of the event. +8.0.0,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +8.0.0,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +8.0.0,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +8.0.0,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +8.0.0,true,event,event.sequence,long,extended,,,Sequence number of the event. +8.0.0,true,event,event.severity,long,core,,7,Numeric severity of the event. +8.0.0,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +8.0.0,true,event,event.timezone,keyword,extended,,,Event time zone. +8.0.0,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +8.0.0,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +8.0.0,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +8.0.0,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +8.0.0,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body. +8.0.0,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +8.0.0,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. +8.0.0,true,http,http.request.method,keyword,extended,,POST,HTTP request method. +8.0.0,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +8.0.0,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +8.0.0,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +8.0.0,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +8.0.0,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body. +8.0.0,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +8.0.0,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +8.0.0,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +8.0.0,true,http,http.version,keyword,extended,,1.1,HTTP version. +8.0.0,true,network,network.application,keyword,extended,,aim,Application level protocol name. +8.0.0,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +8.0.0,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +8.0.0,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +8.0.0,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +8.0.0,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +8.0.0,true,network,network.inner,object,extended,,,Inner VLAN tag information +8.0.0,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +8.0.0,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +8.0.0,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +8.0.0,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +8.0.0,true,network,network.protocol,keyword,core,,http,Application protocol name. +8.0.0,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +8.0.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +8.0.0,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +8.0.0,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +8.0.0,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +8.0.0,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. +8.0.0,true,server,server.address,keyword,extended,,,Server network address. +8.0.0,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.0.0,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.0.0,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +8.0.0,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +8.0.0,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. +8.0.0,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +8.0.0,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. +8.0.0,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +8.0.0,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.0.0,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +8.0.0,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.0.0,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.0.0,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. +8.0.0,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.0.0,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +8.0.0,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.0.0,true,server,server.ip,ip,core,,,IP address of the server. +8.0.0,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. +8.0.0,true,server,server.nat.ip,ip,extended,,,Server NAT ip +8.0.0,true,server,server.nat.port,long,extended,,,Server NAT port +8.0.0,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +8.0.0,true,server,server.port,long,core,,,Port of the server. +8.0.0,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +8.0.0,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +8.0.0,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.0.0,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +8.0.0,true,server,server.user.email,keyword,extended,,,User email address. +8.0.0,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.0.0,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +8.0.0,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.0.0,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.0.0,true,server,server.user.group.name,keyword,extended,,,Name of the group. +8.0.0,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.0.0,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.0.0,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.0.0,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +8.0.0,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.0.0,true,source,source.address,keyword,extended,,,Source network address. +8.0.0,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.0.0,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.0.0,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +8.0.0,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +8.0.0,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. +8.0.0,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +8.0.0,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. +8.0.0,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +8.0.0,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.0.0,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +8.0.0,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.0.0,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.0.0,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. +8.0.0,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.0.0,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +8.0.0,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.0.0,true,source,source.ip,ip,core,,,IP address of the source. +8.0.0,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. +8.0.0,true,source,source.nat.ip,ip,extended,,,Source NAT ip +8.0.0,true,source,source.nat.port,long,extended,,,Source NAT port +8.0.0,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +8.0.0,true,source,source.port,long,core,,,Port of the source. +8.0.0,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +8.0.0,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +8.0.0,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.0.0,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +8.0.0,true,source,source.user.email,keyword,extended,,,User email address. +8.0.0,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.0.0,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +8.0.0,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.0.0,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.0.0,true,source,source.user.group.name,keyword,extended,,,Name of the group. +8.0.0,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.0.0,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.0.0,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.0.0,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +8.0.0,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.0.0,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +8.0.0,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +8.0.0,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +8.0.0,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +8.0.0,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +8.0.0,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +8.0.0,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +8.0.0,true,url,url.password,keyword,extended,,,Password of the request. +8.0.0,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +8.0.0,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +8.0.0,true,url,url.query,keyword,extended,,,Query string of the request. +8.0.0,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +8.0.0,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +8.0.0,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +8.0.0,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.0.0,true,url,url.username,keyword,extended,,,Username of the request. +8.0.0,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. +8.0.0,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +8.0.0,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +8.0.0,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +8.0.0,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +8.0.0,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +8.0.0,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +8.0.0,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.0.0,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.0.0,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +8.0.0,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +8.0.0,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +8.0.0,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +8.0.0,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +8.0.0,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +8.0.0,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. diff --git a/usage-example/generated/ecs/ecs_flat.yml b/usage-example/generated/ecs/ecs_flat.yml index a2141c7ed2..283f83e635 100644 --- a/usage-example/generated/ecs/ecs_flat.yml +++ b/usage-example/generated/ecs/ecs_flat.yml @@ -1,5 +1,5 @@ '@timestamp': - dashed_name: -timestamp + dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the @@ -148,8 +148,7 @@ client.as.organization.name: multi_fields: - flat_name: client.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -168,13 +167,17 @@ client.bytes: type: long client.domain: dashed_name: client-domain - description: Client domain. + description: 'The domain name of the client system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com flat_name: client.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Client domain. + short: The domain name of the client. type: keyword client.geo.city_name: dashed_name: client-geo-city-name @@ -188,6 +191,18 @@ client.geo.city_name: original_fieldset: geo short: City name. type: keyword +client.geo.continent_code: + dashed_name: client-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: client.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword client.geo.continent_name: dashed_name: client-geo-continent-name description: Name of the continent. @@ -253,6 +268,21 @@ client.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +client.geo.postal_code: + dashed_name: client-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: client.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -277,6 +307,18 @@ client.geo.region_name: original_fieldset: geo short: Region name. type: keyword +client.geo.timezone: + dashed_name: client-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: client.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword client.ip: dashed_name: client-ip description: IP address of the client (IPv4 or IPv6). @@ -288,7 +330,12 @@ client.ip: type: ip client.mac: dashed_name: client-mac - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: client.mac ignore_above: 1024 level: core @@ -358,6 +405,24 @@ client.registered_domain: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: keyword +client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -409,8 +474,7 @@ client.user.full_name: multi_fields: - flat_name: client.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -469,6 +533,7 @@ client.user.hash: client.user.id: dashed_name: client-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: client.user.id ignore_above: 1024 level: core @@ -480,15 +545,14 @@ client.user.id: client.user.name: dashed_name: client-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: client.user.name ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -544,8 +608,7 @@ destination.as.organization.name: multi_fields: - flat_name: destination.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -564,13 +627,17 @@ destination.bytes: type: long destination.domain: dashed_name: destination-domain - description: Destination domain. + description: 'The domain name of the destination system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com flat_name: destination.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Destination domain. + short: The domain name of the destination. type: keyword destination.geo.city_name: dashed_name: destination-geo-city-name @@ -584,6 +651,18 @@ destination.geo.city_name: original_fieldset: geo short: City name. type: keyword +destination.geo.continent_code: + dashed_name: destination-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: destination.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. @@ -649,6 +728,21 @@ destination.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +destination.geo.postal_code: + dashed_name: destination-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: destination.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -673,6 +767,18 @@ destination.geo.region_name: original_fieldset: geo short: Region name. type: keyword +destination.geo.timezone: + dashed_name: destination-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: destination.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword destination.ip: dashed_name: destination-ip description: IP address of the destination (IPv4 or IPv6). @@ -684,7 +790,12 @@ destination.ip: type: ip destination.mac: dashed_name: destination-mac - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: destination.mac ignore_above: 1024 level: core @@ -753,6 +864,24 @@ destination.registered_domain: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: keyword +destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -804,8 +933,7 @@ destination.user.full_name: multi_fields: - flat_name: destination.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -864,6 +992,7 @@ destination.user.hash: destination.user.id: dashed_name: destination-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: destination.user.id ignore_above: 1024 level: core @@ -875,15 +1004,14 @@ destination.user.id: destination.user.name: dashed_name: destination-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: destination.user.name ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -934,6 +1062,41 @@ event.action: normalize: [] short: The action captured by the event. type: keyword +event.agent_id_status: + dashed_name: event-agent-id-status + description: 'Agents are normally responsible for populating the `agent.id` field + value. If the system receiving events is capable of validating the value based + on authentication information for the client then this field can be used to reflect + the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the client + cert contains the ID of the agent to which the cert was issued then the `agent.id` + value in events can be checked against the certificate. If the values match then + `event.agent_id_status: verified` is added to the event, otherwise one of the + other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from auth + metadata. + + `mismatch` - The `agent.id` field value does not match the expected value obtained + from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + flat_name: event.agent_id_status + ignore_above: 1024 + level: extended + name: agent_id_status + normalize: [] + short: Validation status of the event's agent.id field. + type: keyword event.category: allowed_values: - description: Events in this category are related to the challenge and response @@ -946,6 +1109,19 @@ event.category: - end - info name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration - description: The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, @@ -1060,6 +1236,30 @@ event.category: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry + - description: The session category is applied to events and metrics regarding logical + persistent connections to hosts and services. Use this category to visualize + and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless + sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session + - description: Use this category to visualize and analyze events describing threat + actors' targets, motives, or behaviors. + expected_event_types: + - indicator + name: threat - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in @@ -1211,12 +1411,22 @@ event.ingested: type: date event.kind: allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. + - description: 'This value indicates an event such as an alert or notable event, + triggered by a detection rule executing externally to the Elastic Stack. `event.kind:alert` is often populated for events coming from firewalls, intrusion - detection systems, endpoint detection and response systems, and so on.' + detection systems, endpoint detection and response systems, and so on. + + This value is not used by Elastic solutions for alert documents that are created + by rules executing within the Kibana alerting framework.' name: alert + - description: 'The `enrichment` value indicates an event collected to provide additional + context, often to other events. + + An example is collecting indicators of compromise (IOCs) from a threat intelligence + provider with the intent to use those values to enrich other events. The IOC + events from the intelligence provider should be categorized as `event.kind:enrichment`.' + name: enrichment - description: This value is the most general and most common value for this field. It is used to represent events that indicate that something happened. name: event @@ -1252,14 +1462,12 @@ event.kind: of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors. name: pipeline_error - - description: 'This value is used by the Elastic SIEM app to denote an Elasticsearch - document that was created by a SIEM detection engine rule. + - description: 'This value is used by Elastic solutions (e.g., Security, Observability) + for alert documents that are created by rules executing within the Kibana alerting + framework. - A signal will typically trigger a notification that something meaningful happened - and should be investigated. - - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' + Usage of this value is reserved, and data ingestion pipelines must not populate + `event.kind` with the value "signal".' name: signal dashed_name: event-kind description: 'This is one of four ECS Categorization Fields, and indicates the highest @@ -1297,15 +1505,17 @@ event.module: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity. + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be + required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and index + this field, please see `Field data types` in the `Elasticsearch Reference`.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original - ignore_above: 1024 index: false level: core name: original @@ -1391,8 +1601,8 @@ event.reference: dashed_name: event-reference description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' + This URL links to a static definition of this event. Alert events, indicated by + `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 flat_name: event.reference ignore_above: 1024 @@ -1566,6 +1776,11 @@ event.type: AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.' name: group + - description: 'The indicator event type is used for the subset of events within + a category that contain details about indicators of compromise (IOCs). + + A common example is `event.category:threat AND event.type:indicator`.' + name: indicator - description: The info event type is used for the subset of events within a category that indicate that they are purely informational, and don't report a state change, or any type of action. For example, an initial run of a file integrity monitoring @@ -1589,12 +1804,6 @@ event.type: indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process @@ -1655,17 +1864,15 @@ http.request.body.content: description: The full HTTP request body. example: Hello world flat_name: http.request.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text name: text - norms: false - type: text + type: match_only_text name: request.body.content normalize: [] short: The full HTTP request body. - type: keyword + type: wildcard http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -1677,17 +1884,28 @@ http.request.bytes: normalize: [] short: Total size in bytes of the request (body and headers). type: long +http.request.id: + dashed_name: http-request-id + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + flat_name: http.request.id + ignore_above: 1024 + level: extended + name: request.id + normalize: [] + short: HTTP request ID. + type: keyword http.request.method: dashed_name: http-request-method description: 'HTTP request method. - Prior to ECS 1.6.0 the following guidance was provided: - - "The field value must be normalized to lowercase for querying." - - As of ECS 1.6.0, the guidance is deprecated because the original case of the method - may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' - example: GET, POST, PUT, PoST + The value should retain its casing from the original event. For example, `GET`, + `get`, and `GeT` are all considered valid values for this field.' + example: POST flat_name: http.request.method ignore_above: 1024 level: extended @@ -1695,6 +1913,21 @@ http.request.method: normalize: [] short: HTTP request method. type: keyword +http.request.mime_type: + dashed_name: http-request-mime-type + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, not + on the `Content-Type` header. Comparing the mime type of a request with the request''s + Content-Type header can be helpful in detecting threats or misconfigured clients.' + example: image/gif + flat_name: http.request.mime_type + ignore_above: 1024 + level: extended + name: request.mime_type + normalize: [] + short: Mime type of the body of the request. + type: keyword http.request.referrer: dashed_name: http-request-referrer description: Referrer for this HTTP request. @@ -1722,17 +1955,15 @@ http.response.body.content: description: The full HTTP response body. example: Hello world flat_name: http.response.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text name: text - norms: false - type: text + type: match_only_text name: response.body.content normalize: [] short: The full HTTP response body. - type: keyword + type: wildcard http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -1744,6 +1975,21 @@ http.response.bytes: normalize: [] short: Total size in bytes of the response (body and headers). type: long +http.response.mime_type: + dashed_name: http-response-mime-type + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, not + on the `Content-Type` header. Comparing the mime type of a response with the response''s + Content-Type header can be helpful in detecting misconfigured servers.' + example: image/gif + flat_name: http.response.mime_type + ignore_above: 1024 + level: extended + name: response.mime_type + normalize: [] + short: Mime type of the body of the response. + type: keyword http.response.status_code: dashed_name: http-response-status-code description: HTTP response status code. @@ -1796,18 +2042,18 @@ message: level: core name: message normalize: [] - norms: false short: Log message optimized for viewing in a log viewer. - type: text + type: match_only_text network.application: dashed_name: network-application - description: 'A name given to an application level protocol. This can be arbitrarily - assigned for things like microservices, but also apply to things like skype, icq, - facebook, twitter. This would be used in situations where the vendor or service - can be decoded such as from the source/dest IP owners, ports, or wire format. + description: 'When a specific application or service is identified from network + connection details (source/dest IPs, ports, certificates, or wire format), this + field captures the application''s or service''s name. + + For example, the original event identifies the network connection being from a + specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: aim flat_name: network.application ignore_above: 1024 @@ -1846,11 +2092,17 @@ network.community_id: type: keyword network.direction: dashed_name: network-direction - description: "Direction of the network traffic.\nRecommended values are:\n * inbound\n\ - \ * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events\ - \ from a host-based monitoring context, populate this field from the host's point\ - \ of view.\nWhen mapping events from a network or perimeter-based monitoring context,\ - \ populate this field from the point of view of your network perimeter." + description: "Direction of the network traffic.\nRecommended values are:\n * ingress\n\ + \ * egress\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\ + \nWhen mapping events from a host-based monitoring context, populate this field\ + \ from the host's point of view, using the values \"ingress\" or \"egress\".\n\ + When mapping events from a network or perimeter-based monitoring context, populate\ + \ this field from the point of view of the network perimeter, using the values\ + \ \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\"\ + \ is not crossing perimeter boundaries, and is meant to describe communication\ + \ between two hosts within the perimeter. Note also that \"external\" is meant\ + \ to describe traffic between two hosts that are external to the perimeter. This\ + \ could for example be useful for ISPs or VPN service providers." example: inbound flat_name: network.direction ignore_above: 1024 @@ -1885,8 +2137,8 @@ network.iana_number: network.inner: dashed_name: network-inner description: Network.inner fields are added in addition to network.vlan fields to - describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields - include vlan.id and vlan.name. Inner vlan fields are typically used when sending + describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields + include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) flat_name: network.inner level: extended @@ -1944,25 +2196,24 @@ network.packets: type: long network.protocol: dashed_name: network-protocol - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + description: 'In the OSI Model this would be the Application Layer protocol. For + example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: http flat_name: network.protocol ignore_above: 1024 level: core name: protocol normalize: [] - short: L7 Network protocol name. + short: Application protocol name. type: keyword network.transport: dashed_name: network-transport description: 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: tcp flat_name: network.transport ignore_above: 1024 @@ -1976,8 +2227,7 @@ network.type: description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: ipv4 flat_name: network.type ignore_above: 1024 @@ -2023,14 +2273,14 @@ related.ip: type: ip related.user: dashed_name: related-user - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. flat_name: related.user ignore_above: 1024 level: extended name: user normalize: - array - short: All the user names seen on your event. + short: All the user names or other user identifiers seen on the event. type: keyword server.address: dashed_name: server-address @@ -2069,8 +2319,7 @@ server.as.organization.name: multi_fields: - flat_name: server.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -2089,13 +2338,17 @@ server.bytes: type: long server.domain: dashed_name: server-domain - description: Server domain. + description: 'The domain name of the server system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com flat_name: server.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Server domain. + short: The domain name of the server. type: keyword server.geo.city_name: dashed_name: server-geo-city-name @@ -2109,6 +2362,18 @@ server.geo.city_name: original_fieldset: geo short: City name. type: keyword +server.geo.continent_code: + dashed_name: server-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: server.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword server.geo.continent_name: dashed_name: server-geo-continent-name description: Name of the continent. @@ -2174,6 +2439,21 @@ server.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +server.geo.postal_code: + dashed_name: server-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: server.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -2198,6 +2478,18 @@ server.geo.region_name: original_fieldset: geo short: Region name. type: keyword +server.geo.timezone: + dashed_name: server-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: server.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword server.ip: dashed_name: server-ip description: IP address of the server (IPv4 or IPv6). @@ -2209,7 +2501,12 @@ server.ip: type: ip server.mac: dashed_name: server-mac - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: server.mac ignore_above: 1024 level: core @@ -2279,6 +2576,24 @@ server.registered_domain: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: keyword +server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -2330,8 +2645,7 @@ server.user.full_name: multi_fields: - flat_name: server.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -2390,6 +2704,7 @@ server.user.hash: server.user.id: dashed_name: server-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: server.user.id ignore_above: 1024 level: core @@ -2401,15 +2716,14 @@ server.user.id: server.user.name: dashed_name: server-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: server.user.name ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -2465,8 +2779,7 @@ source.as.organization.name: multi_fields: - flat_name: source.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -2485,13 +2798,17 @@ source.bytes: type: long source.domain: dashed_name: source-domain - description: Source domain. + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com flat_name: source.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Source domain. + short: The domain name of the source. type: keyword source.geo.city_name: dashed_name: source-geo-city-name @@ -2505,6 +2822,18 @@ source.geo.city_name: original_fieldset: geo short: City name. type: keyword +source.geo.continent_code: + dashed_name: source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. @@ -2570,6 +2899,21 @@ source.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +source.geo.postal_code: + dashed_name: source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -2594,6 +2938,18 @@ source.geo.region_name: original_fieldset: geo short: Region name. type: keyword +source.geo.timezone: + dashed_name: source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword source.ip: dashed_name: source-ip description: IP address of the source (IPv4 or IPv6). @@ -2605,7 +2961,12 @@ source.ip: type: ip source.mac: dashed_name: source-mac - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: source.mac ignore_above: 1024 level: core @@ -2675,6 +3036,24 @@ source.registered_domain: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: keyword +source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -2726,8 +3105,7 @@ source.user.full_name: multi_fields: - flat_name: source.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -2786,6 +3164,7 @@ source.user.hash: source.user.id: dashed_name: source-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: source.user.id ignore_above: 1024 level: core @@ -2797,15 +3176,14 @@ source.user.id: source.user.name: dashed_name: source-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: source.user.name ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -2841,7 +3219,10 @@ url.domain: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 @@ -2852,19 +3233,23 @@ url.domain: type: keyword url.extension: dashed_name: url-extension - description: 'The field contains the file extension from the original request url. + description: 'The field contains the file extension from the original request url, + excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: url.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension from the original request url. + short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: dashed_name: url-fragment @@ -2884,17 +3269,15 @@ url.full: in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full - ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text name: text - norms: false - type: text + type: match_only_text name: full normalize: [] short: Full unparsed URL. - type: keyword + type: wildcard url.original: dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -2905,17 +3288,15 @@ url.original: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original - ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text name: text - norms: false - type: text + type: match_only_text name: original normalize: [] short: Unmodified original url as seen in the event source. - type: keyword + type: wildcard url.password: dashed_name: url-password description: Password of the request. @@ -2930,12 +3311,11 @@ url.path: dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path - ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: keyword + type: wildcard url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -2993,6 +3373,24 @@ url.scheme: normalize: [] short: Scheme of the url. type: keyword +url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -3023,15 +3421,14 @@ url.username: user.name: dashed_name: user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: user.name ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] short: Short name or login of the user. @@ -3069,8 +3466,7 @@ user_agent.original: multi_fields: - flat_name: user_agent.original.text name: text - norms: false - type: text + type: match_only_text name: original normalize: [] short: Unparsed user_agent string. @@ -3097,8 +3493,7 @@ user_agent.os.full: multi_fields: - flat_name: user_agent.os.full.text name: text - norms: false - type: text + type: match_only_text name: full normalize: [] original_fieldset: os @@ -3126,8 +3521,7 @@ user_agent.os.name: multi_fields: - flat_name: user_agent.os.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: os @@ -3145,6 +3539,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/usage-example/generated/ecs/ecs_nested.yml b/usage-example/generated/ecs/ecs_nested.yml index 82675ddcfc..c17cd39703 100644 --- a/usage-example/generated/ecs/ecs_nested.yml +++ b/usage-example/generated/ecs/ecs_nested.yml @@ -125,7 +125,7 @@ base: events. These fields are common across all types of events. fields: '@timestamp': - dashed_name: -timestamp + dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when @@ -173,9 +173,8 @@ base: level: core name: message normalize: [] - norms: false short: Log message optimized for viewing in a log viewer. - type: text + type: match_only_text tags: dashed_name: tags description: List of keywords used to tag each event. @@ -249,8 +248,7 @@ client: multi_fields: - flat_name: client.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -269,13 +267,18 @@ client: type: long client.domain: dashed_name: client-domain - description: Client domain. + description: 'The domain name of the client system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com flat_name: client.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Client domain. + short: The domain name of the client. type: keyword client.geo.city_name: dashed_name: client-geo-city-name @@ -289,6 +292,18 @@ client: original_fieldset: geo short: City name. type: keyword + client.geo.continent_code: + dashed_name: client-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: client.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword client.geo.continent_name: dashed_name: client-geo-continent-name description: Name of the continent. @@ -354,6 +369,21 @@ client: original_fieldset: geo short: User-defined description of a location. type: keyword + client.geo.postal_code: + dashed_name: client-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: client.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -378,6 +408,18 @@ client: original_fieldset: geo short: Region name. type: keyword + client.geo.timezone: + dashed_name: client-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: client.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword client.ip: dashed_name: client-ip description: IP address of the client (IPv4 or IPv6). @@ -389,7 +431,13 @@ client: type: ip client.mac: dashed_name: client-mac - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: client.mac ignore_above: 1024 level: core @@ -459,6 +507,24 @@ client: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: keyword + client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -510,8 +576,7 @@ client: multi_fields: - flat_name: client.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -570,6 +635,7 @@ client: client.user.id: dashed_name: client-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: client.user.id ignore_above: 1024 level: core @@ -581,15 +647,14 @@ client: client.user.name: dashed_name: client-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: client.user.name ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -629,9 +694,15 @@ client: title: Client type: group destination: - description: 'Destination fields describe details about the destination of a packet/event. - - Destination fields are usually populated in conjunction with source fields.' + description: 'Destination fields capture details about the receiver of a network + exchange/packet. These fields are populated from a network event, packet, or other + event containing details of a network transaction. + + Destination fields are usually populated in conjunction with source fields. The + source and destination fields are considered the baseline and should always be + filled if an event contains source and destination details from a network transaction. + If the event also contains identification of the client and server roles, then + the client and server fields should also be populated.' fields: destination.address: dashed_name: destination-address @@ -670,8 +741,7 @@ destination: multi_fields: - flat_name: destination.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -690,13 +760,18 @@ destination: type: long destination.domain: dashed_name: destination-domain - description: Destination domain. + description: 'The domain name of the destination system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com flat_name: destination.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Destination domain. + short: The domain name of the destination. type: keyword destination.geo.city_name: dashed_name: destination-geo-city-name @@ -710,6 +785,18 @@ destination: original_fieldset: geo short: City name. type: keyword + destination.geo.continent_code: + dashed_name: destination-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: destination.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. @@ -775,6 +862,21 @@ destination: original_fieldset: geo short: User-defined description of a location. type: keyword + destination.geo.postal_code: + dashed_name: destination-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: destination.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -799,6 +901,18 @@ destination: original_fieldset: geo short: Region name. type: keyword + destination.geo.timezone: + dashed_name: destination-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: destination.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword destination.ip: dashed_name: destination-ip description: IP address of the destination (IPv4 or IPv6). @@ -810,7 +924,13 @@ destination: type: ip destination.mac: dashed_name: destination-mac - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: destination.mac ignore_above: 1024 level: core @@ -879,6 +999,24 @@ destination: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: keyword + destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -930,8 +1068,7 @@ destination: multi_fields: - flat_name: destination.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -990,6 +1127,7 @@ destination: destination.user.id: dashed_name: destination-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: destination.user.id ignore_above: 1024 level: core @@ -1001,15 +1139,14 @@ destination: destination.user.name: dashed_name: destination-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: destination.user.name ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -1103,6 +1240,41 @@ event: normalize: [] short: The action captured by the event. type: keyword + event.agent_id_status: + dashed_name: event-agent-id-status + description: 'Agents are normally responsible for populating the `agent.id` + field value. If the system receiving events is capable of validating the value + based on authentication information for the client then this field can be + used to reflect the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the + client cert contains the ID of the agent to which the cert was issued then + the `agent.id` value in events can be checked against the certificate. If + the values match then `event.agent_id_status: verified` is added to the event, + otherwise one of the other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from + auth metadata. + + `mismatch` - The `agent.id` field value does not match the expected value + obtained from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + flat_name: event.agent_id_status + ignore_above: 1024 + level: extended + name: agent_id_status + normalize: [] + short: Validation status of the event's agent.id field. + type: keyword event.category: allowed_values: - description: Events in this category are related to the challenge and response @@ -1115,6 +1287,19 @@ event: - end - info name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration - description: The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from @@ -1231,6 +1416,30 @@ event: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry + - description: The session category is applied to events and metrics regarding + logical persistent connections to hosts and services. Use this category + to visualize and analyze interactive or automated persistent connections + between assets. Data for this category may come from Windows Event logs, + SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session + - description: Use this category to visualize and analyze events describing + threat actors' targets, motives, or behaviors. + expected_event_types: + - indicator + name: threat - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also @@ -1384,13 +1593,23 @@ event: type: date event.kind: allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. + - description: 'This value indicates an event such as an alert or notable event, + triggered by a detection rule executing externally to the Elastic Stack. `event.kind:alert` is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and - so on.' + so on. + + This value is not used by Elastic solutions for alert documents that are + created by rules executing within the Kibana alerting framework.' name: alert + - description: 'The `enrichment` value indicates an event collected to provide + additional context, often to other events. + + An example is collecting indicators of compromise (IOCs) from a threat intelligence + provider with the intent to use those values to enrich other events. The + IOC events from the intelligence provider should be categorized as `event.kind:enrichment`.' + name: enrichment - description: This value is the most general and most common value for this field. It is used to represent events that indicate that something happened. name: event @@ -1426,14 +1645,12 @@ event: of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors. name: pipeline_error - - description: 'This value is used by the Elastic SIEM app to denote an Elasticsearch - document that was created by a SIEM detection engine rule. - - A signal will typically trigger a notification that something meaningful - happened and should be investigated. + - description: 'This value is used by Elastic solutions (e.g., Security, Observability) + for alert documents that are created by rules executing within the Kibana + alerting framework. - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' + Usage of this value is reserved, and data ingestion pipelines must not populate + `event.kind` with the value "signal".' name: signal dashed_name: event-kind description: 'This is one of four ECS Categorization Fields, and indicates the @@ -1472,15 +1689,17 @@ event: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity. + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may + be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, please see `Field data types` in the `Elasticsearch Reference`.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original - ignore_above: 1024 index: false level: core name: original @@ -1570,7 +1789,7 @@ event: dashed_name: event-reference description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 flat_name: event.reference @@ -1749,6 +1968,11 @@ event: AND event.type:creation AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.' name: group + - description: 'The indicator event type is used for the subset of events within + a category that contain details about indicators of compromise (IOCs). + + A common example is `event.category:threat AND event.type:indicator`.' + name: indicator - description: The info event type is used for the subset of events within a category that indicate that they are purely informational, and don't report a state change, or any type of action. For example, an initial run of a @@ -1774,12 +1998,6 @@ event: should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process @@ -1850,17 +2068,15 @@ http: description: The full HTTP request body. example: Hello world flat_name: http.request.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text name: text - norms: false - type: text + type: match_only_text name: request.body.content normalize: [] short: The full HTTP request body. - type: keyword + type: wildcard http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -1872,18 +2088,28 @@ http: normalize: [] short: Total size in bytes of the request (body and headers). type: long + http.request.id: + dashed_name: http-request-id + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + flat_name: http.request.id + ignore_above: 1024 + level: extended + name: request.id + normalize: [] + short: HTTP request ID. + type: keyword http.request.method: dashed_name: http-request-method description: 'HTTP request method. - Prior to ECS 1.6.0 the following guidance was provided: - - "The field value must be normalized to lowercase for querying." - - As of ECS 1.6.0, the guidance is deprecated because the original case of the - method may be useful in anomaly detection. Original case will be mandated - in ECS 2.0.0' - example: GET, POST, PUT, PoST + The value should retain its casing from the original event. For example, `GET`, + `get`, and `GeT` are all considered valid values for this field.' + example: POST flat_name: http.request.method ignore_above: 1024 level: extended @@ -1891,6 +2117,22 @@ http: normalize: [] short: HTTP request method. type: keyword + http.request.mime_type: + dashed_name: http-request-mime-type + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, + not on the `Content-Type` header. Comparing the mime type of a request with + the request''s Content-Type header can be helpful in detecting threats or + misconfigured clients.' + example: image/gif + flat_name: http.request.mime_type + ignore_above: 1024 + level: extended + name: request.mime_type + normalize: [] + short: Mime type of the body of the request. + type: keyword http.request.referrer: dashed_name: http-request-referrer description: Referrer for this HTTP request. @@ -1918,17 +2160,15 @@ http: description: The full HTTP response body. example: Hello world flat_name: http.response.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text name: text - norms: false - type: text + type: match_only_text name: response.body.content normalize: [] short: The full HTTP response body. - type: keyword + type: wildcard http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -1940,6 +2180,22 @@ http: normalize: [] short: Total size in bytes of the response (body and headers). type: long + http.response.mime_type: + dashed_name: http-response-mime-type + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, + not on the `Content-Type` header. Comparing the mime type of a response with + the response''s Content-Type header can be helpful in detecting misconfigured + servers.' + example: image/gif + flat_name: http.response.mime_type + ignore_above: 1024 + level: extended + name: response.mime_type + normalize: [] + short: Mime type of the body of the response. + type: keyword http.response.status_code: dashed_name: http-response-status-code description: HTTP response status code. @@ -1977,14 +2233,15 @@ network: fields: network.application: dashed_name: network-application - description: 'A name given to an application level protocol. This can be arbitrarily - assigned for things like microservices, but also apply to things like skype, - icq, facebook, twitter. This would be used in situations where the vendor - or service can be decoded such as from the source/dest IP owners, ports, or - wire format. - - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + description: 'When a specific application or service is identified from network + connection details (source/dest IPs, ports, certificates, or wire format), + this field captures the application''s or service''s name. + + For example, the original event identifies the network connection being from + a specific web service in a `https` network connection, like `facebook` or + `twitter`. + + The field value must be normalized to lowercase for querying.' example: aim flat_name: network.application ignore_above: 1024 @@ -2025,11 +2282,17 @@ network: network.direction: dashed_name: network-direction description: "Direction of the network traffic.\nRecommended values are:\n \ - \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ - \ mapping events from a host-based monitoring context, populate this field\ - \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ - \ monitoring context, populate this field from the point of view of your network\ - \ perimeter." + \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ + \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ + \ populate this field from the host's point of view, using the values \"ingress\"\ + \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ + \ context, populate this field from the point of view of the network perimeter,\ + \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ + .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ + \ to describe communication between two hosts within the perimeter. Note also\ + \ that \"external\" is meant to describe traffic between two hosts that are\ + \ external to the perimeter. This could for example be useful for ISPs or\ + \ VPN service providers." example: inbound flat_name: network.direction ignore_above: 1024 @@ -2064,8 +2327,8 @@ network: network.inner: dashed_name: network-inner description: Network.inner fields are added in addition to network.vlan fields - to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed - fields include vlan.id and vlan.name. Inner vlan fields are typically used + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) flat_name: network.inner @@ -2124,25 +2387,24 @@ network: type: long network.protocol: dashed_name: network-protocol - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + description: 'In the OSI Model this would be the Application Layer protocol. + For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: http flat_name: network.protocol ignore_above: 1024 level: core name: protocol normalize: [] - short: L7 Network protocol name. + short: Application protocol name. type: keyword network.transport: dashed_name: network-transport description: 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: tcp flat_name: network.transport ignore_above: 1024 @@ -2156,8 +2418,7 @@ network: description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: ipv4 flat_name: network.type ignore_above: 1024 @@ -2231,14 +2492,14 @@ related: type: ip related.user: dashed_name: related-user - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. flat_name: related.user ignore_above: 1024 level: extended name: user normalize: - array - short: All the user names seen on your event. + short: All the user names or other user identifiers seen on the event. type: keyword group: 2 name: related @@ -2300,8 +2561,7 @@ server: multi_fields: - flat_name: server.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -2320,13 +2580,18 @@ server: type: long server.domain: dashed_name: server-domain - description: Server domain. + description: 'The domain name of the server system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com flat_name: server.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Server domain. + short: The domain name of the server. type: keyword server.geo.city_name: dashed_name: server-geo-city-name @@ -2340,6 +2605,18 @@ server: original_fieldset: geo short: City name. type: keyword + server.geo.continent_code: + dashed_name: server-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: server.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword server.geo.continent_name: dashed_name: server-geo-continent-name description: Name of the continent. @@ -2405,6 +2682,21 @@ server: original_fieldset: geo short: User-defined description of a location. type: keyword + server.geo.postal_code: + dashed_name: server-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: server.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -2429,6 +2721,18 @@ server: original_fieldset: geo short: Region name. type: keyword + server.geo.timezone: + dashed_name: server-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: server.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword server.ip: dashed_name: server-ip description: IP address of the server (IPv4 or IPv6). @@ -2440,7 +2744,13 @@ server: type: ip server.mac: dashed_name: server-mac - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: server.mac ignore_above: 1024 level: core @@ -2510,6 +2820,24 @@ server: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: keyword + server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -2561,8 +2889,7 @@ server: multi_fields: - flat_name: server.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -2621,6 +2948,7 @@ server: server.user.id: dashed_name: server-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: server.user.id ignore_above: 1024 level: core @@ -2632,15 +2960,14 @@ server: server.user.name: dashed_name: server-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: server.user.name ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -2680,9 +3007,15 @@ server: title: Server type: group source: - description: 'Source fields describe details about the source of a packet/event. - - Source fields are usually populated in conjunction with destination fields.' + description: 'Source fields capture details about the sender of a network exchange/packet. + These fields are populated from a network event, packet, or other event containing + details of a network transaction. + + Source fields are usually populated in conjunction with destination fields. The + source and destination fields are considered the baseline and should always be + filled if an event contains source and destination details from a network transaction. + If the event also contains identification of the client and server roles, then + the client and server fields should also be populated.' fields: source.address: dashed_name: source-address @@ -2721,8 +3054,7 @@ source: multi_fields: - flat_name: source.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -2741,13 +3073,18 @@ source: type: long source.domain: dashed_name: source-domain - description: Source domain. + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com flat_name: source.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Source domain. + short: The domain name of the source. type: keyword source.geo.city_name: dashed_name: source-geo-city-name @@ -2761,6 +3098,18 @@ source: original_fieldset: geo short: City name. type: keyword + source.geo.continent_code: + dashed_name: source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. @@ -2826,6 +3175,21 @@ source: original_fieldset: geo short: User-defined description of a location. type: keyword + source.geo.postal_code: + dashed_name: source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -2850,6 +3214,18 @@ source: original_fieldset: geo short: Region name. type: keyword + source.geo.timezone: + dashed_name: source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword source.ip: dashed_name: source-ip description: IP address of the source (IPv4 or IPv6). @@ -2861,7 +3237,13 @@ source: type: ip source.mac: dashed_name: source-mac - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: source.mac ignore_above: 1024 level: core @@ -2931,6 +3313,24 @@ source: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: keyword + source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -2982,8 +3382,7 @@ source: multi_fields: - flat_name: source.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -3042,6 +3441,7 @@ source: source.user.id: dashed_name: source-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: source.user.id ignore_above: 1024 level: core @@ -3053,15 +3453,14 @@ source: source.user.name: dashed_name: source-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: source.user.name ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -3109,7 +3508,11 @@ url: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 @@ -3121,19 +3524,22 @@ url: url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request - url. + url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: url.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension from the original request url. + short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: dashed_name: url-fragment @@ -3154,17 +3560,15 @@ url: source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full - ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text name: text - norms: false - type: text + type: match_only_text name: full normalize: [] short: Full unparsed URL. - type: keyword + type: wildcard url.original: dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -3175,17 +3579,15 @@ url: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original - ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text name: text - norms: false - type: text + type: match_only_text name: original normalize: [] short: Unmodified original url as seen in the event source. - type: keyword + type: wildcard url.password: dashed_name: url-password description: Password of the request. @@ -3200,12 +3602,11 @@ url: dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path - ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: keyword + type: wildcard url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -3263,6 +3664,24 @@ url: normalize: [] short: Scheme of the url. type: keyword + url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -3293,6 +3712,16 @@ url: group: 2 name: url prefix: url. + reusable: + expected: + - as: url + at: threat.indicator + full: threat.indicator.url + - as: url + at: threat.enrichments.indicator + beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.indicator.url + top_level: true short: Fields that let you store URLs in various forms. title: URL type: group @@ -3306,15 +3735,14 @@ user: user.name: dashed_name: user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: user.name ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] short: Short name or login of the user. @@ -3322,7 +3750,10 @@ user: group: 2 name: user nestings: + - user.changes + - user.effective - user.group + - user.target prefix: user. reusable: expected: @@ -3332,20 +3763,38 @@ user: - as: user at: destination full: destination.user - - as: user - at: host - full: host.user - as: user at: server full: server.user - as: user at: source full: source.user + - as: target + at: user + full: user.target + short_override: Targeted user of action taken. + - as: effective + at: user + full: user.effective + short_override: User whose privileges were assumed. + - as: changes + at: user + full: user.changes + short_override: Captures changes made to a user. top_level: true reused_here: - full: user.group schema_name: group short: User's group relevant to the event. + - full: user.target + schema_name: user + short: Targeted user of action taken. + - full: user.effective + schema_name: user + short: User whose privileges were assumed. + - full: user.changes + schema_name: user + short: Captures changes made to a user. short: Fields to describe the user relevant to the event. title: User type: group @@ -3387,8 +3836,7 @@ user_agent: multi_fields: - flat_name: user_agent.original.text name: text - norms: false - type: text + type: match_only_text name: original normalize: [] short: Unparsed user_agent string. @@ -3415,8 +3863,7 @@ user_agent: multi_fields: - flat_name: user_agent.os.full.text name: text - norms: false - type: text + type: match_only_text name: full normalize: [] original_fieldset: os @@ -3444,8 +3891,7 @@ user_agent: multi_fields: - flat_name: user_agent.os.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: os @@ -3463,6 +3909,26 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/usage-example/generated/ecs/subset/web_logs/ecs_flat.yml b/usage-example/generated/ecs/subset/web_logs/ecs_flat.yml index a2141c7ed2..283f83e635 100644 --- a/usage-example/generated/ecs/subset/web_logs/ecs_flat.yml +++ b/usage-example/generated/ecs/subset/web_logs/ecs_flat.yml @@ -1,5 +1,5 @@ '@timestamp': - dashed_name: -timestamp + dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the @@ -148,8 +148,7 @@ client.as.organization.name: multi_fields: - flat_name: client.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -168,13 +167,17 @@ client.bytes: type: long client.domain: dashed_name: client-domain - description: Client domain. + description: 'The domain name of the client system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com flat_name: client.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Client domain. + short: The domain name of the client. type: keyword client.geo.city_name: dashed_name: client-geo-city-name @@ -188,6 +191,18 @@ client.geo.city_name: original_fieldset: geo short: City name. type: keyword +client.geo.continent_code: + dashed_name: client-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: client.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword client.geo.continent_name: dashed_name: client-geo-continent-name description: Name of the continent. @@ -253,6 +268,21 @@ client.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +client.geo.postal_code: + dashed_name: client-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: client.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -277,6 +307,18 @@ client.geo.region_name: original_fieldset: geo short: Region name. type: keyword +client.geo.timezone: + dashed_name: client-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: client.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword client.ip: dashed_name: client-ip description: IP address of the client (IPv4 or IPv6). @@ -288,7 +330,12 @@ client.ip: type: ip client.mac: dashed_name: client-mac - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: client.mac ignore_above: 1024 level: core @@ -358,6 +405,24 @@ client.registered_domain: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: keyword +client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -409,8 +474,7 @@ client.user.full_name: multi_fields: - flat_name: client.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -469,6 +533,7 @@ client.user.hash: client.user.id: dashed_name: client-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: client.user.id ignore_above: 1024 level: core @@ -480,15 +545,14 @@ client.user.id: client.user.name: dashed_name: client-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: client.user.name ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -544,8 +608,7 @@ destination.as.organization.name: multi_fields: - flat_name: destination.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -564,13 +627,17 @@ destination.bytes: type: long destination.domain: dashed_name: destination-domain - description: Destination domain. + description: 'The domain name of the destination system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com flat_name: destination.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Destination domain. + short: The domain name of the destination. type: keyword destination.geo.city_name: dashed_name: destination-geo-city-name @@ -584,6 +651,18 @@ destination.geo.city_name: original_fieldset: geo short: City name. type: keyword +destination.geo.continent_code: + dashed_name: destination-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: destination.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. @@ -649,6 +728,21 @@ destination.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +destination.geo.postal_code: + dashed_name: destination-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: destination.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -673,6 +767,18 @@ destination.geo.region_name: original_fieldset: geo short: Region name. type: keyword +destination.geo.timezone: + dashed_name: destination-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: destination.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword destination.ip: dashed_name: destination-ip description: IP address of the destination (IPv4 or IPv6). @@ -684,7 +790,12 @@ destination.ip: type: ip destination.mac: dashed_name: destination-mac - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: destination.mac ignore_above: 1024 level: core @@ -753,6 +864,24 @@ destination.registered_domain: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: keyword +destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -804,8 +933,7 @@ destination.user.full_name: multi_fields: - flat_name: destination.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -864,6 +992,7 @@ destination.user.hash: destination.user.id: dashed_name: destination-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: destination.user.id ignore_above: 1024 level: core @@ -875,15 +1004,14 @@ destination.user.id: destination.user.name: dashed_name: destination-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: destination.user.name ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -934,6 +1062,41 @@ event.action: normalize: [] short: The action captured by the event. type: keyword +event.agent_id_status: + dashed_name: event-agent-id-status + description: 'Agents are normally responsible for populating the `agent.id` field + value. If the system receiving events is capable of validating the value based + on authentication information for the client then this field can be used to reflect + the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the client + cert contains the ID of the agent to which the cert was issued then the `agent.id` + value in events can be checked against the certificate. If the values match then + `event.agent_id_status: verified` is added to the event, otherwise one of the + other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from auth + metadata. + + `mismatch` - The `agent.id` field value does not match the expected value obtained + from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + flat_name: event.agent_id_status + ignore_above: 1024 + level: extended + name: agent_id_status + normalize: [] + short: Validation status of the event's agent.id field. + type: keyword event.category: allowed_values: - description: Events in this category are related to the challenge and response @@ -946,6 +1109,19 @@ event.category: - end - info name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration - description: The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, @@ -1060,6 +1236,30 @@ event.category: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry + - description: The session category is applied to events and metrics regarding logical + persistent connections to hosts and services. Use this category to visualize + and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless + sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session + - description: Use this category to visualize and analyze events describing threat + actors' targets, motives, or behaviors. + expected_event_types: + - indicator + name: threat - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in @@ -1211,12 +1411,22 @@ event.ingested: type: date event.kind: allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. + - description: 'This value indicates an event such as an alert or notable event, + triggered by a detection rule executing externally to the Elastic Stack. `event.kind:alert` is often populated for events coming from firewalls, intrusion - detection systems, endpoint detection and response systems, and so on.' + detection systems, endpoint detection and response systems, and so on. + + This value is not used by Elastic solutions for alert documents that are created + by rules executing within the Kibana alerting framework.' name: alert + - description: 'The `enrichment` value indicates an event collected to provide additional + context, often to other events. + + An example is collecting indicators of compromise (IOCs) from a threat intelligence + provider with the intent to use those values to enrich other events. The IOC + events from the intelligence provider should be categorized as `event.kind:enrichment`.' + name: enrichment - description: This value is the most general and most common value for this field. It is used to represent events that indicate that something happened. name: event @@ -1252,14 +1462,12 @@ event.kind: of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors. name: pipeline_error - - description: 'This value is used by the Elastic SIEM app to denote an Elasticsearch - document that was created by a SIEM detection engine rule. + - description: 'This value is used by Elastic solutions (e.g., Security, Observability) + for alert documents that are created by rules executing within the Kibana alerting + framework. - A signal will typically trigger a notification that something meaningful happened - and should be investigated. - - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' + Usage of this value is reserved, and data ingestion pipelines must not populate + `event.kind` with the value "signal".' name: signal dashed_name: event-kind description: 'This is one of four ECS Categorization Fields, and indicates the highest @@ -1297,15 +1505,17 @@ event.module: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity. + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be + required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and index + this field, please see `Field data types` in the `Elasticsearch Reference`.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original - ignore_above: 1024 index: false level: core name: original @@ -1391,8 +1601,8 @@ event.reference: dashed_name: event-reference description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' + This URL links to a static definition of this event. Alert events, indicated by + `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 flat_name: event.reference ignore_above: 1024 @@ -1566,6 +1776,11 @@ event.type: AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.' name: group + - description: 'The indicator event type is used for the subset of events within + a category that contain details about indicators of compromise (IOCs). + + A common example is `event.category:threat AND event.type:indicator`.' + name: indicator - description: The info event type is used for the subset of events within a category that indicate that they are purely informational, and don't report a state change, or any type of action. For example, an initial run of a file integrity monitoring @@ -1589,12 +1804,6 @@ event.type: indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process @@ -1655,17 +1864,15 @@ http.request.body.content: description: The full HTTP request body. example: Hello world flat_name: http.request.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text name: text - norms: false - type: text + type: match_only_text name: request.body.content normalize: [] short: The full HTTP request body. - type: keyword + type: wildcard http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -1677,17 +1884,28 @@ http.request.bytes: normalize: [] short: Total size in bytes of the request (body and headers). type: long +http.request.id: + dashed_name: http-request-id + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + flat_name: http.request.id + ignore_above: 1024 + level: extended + name: request.id + normalize: [] + short: HTTP request ID. + type: keyword http.request.method: dashed_name: http-request-method description: 'HTTP request method. - Prior to ECS 1.6.0 the following guidance was provided: - - "The field value must be normalized to lowercase for querying." - - As of ECS 1.6.0, the guidance is deprecated because the original case of the method - may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' - example: GET, POST, PUT, PoST + The value should retain its casing from the original event. For example, `GET`, + `get`, and `GeT` are all considered valid values for this field.' + example: POST flat_name: http.request.method ignore_above: 1024 level: extended @@ -1695,6 +1913,21 @@ http.request.method: normalize: [] short: HTTP request method. type: keyword +http.request.mime_type: + dashed_name: http-request-mime-type + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, not + on the `Content-Type` header. Comparing the mime type of a request with the request''s + Content-Type header can be helpful in detecting threats or misconfigured clients.' + example: image/gif + flat_name: http.request.mime_type + ignore_above: 1024 + level: extended + name: request.mime_type + normalize: [] + short: Mime type of the body of the request. + type: keyword http.request.referrer: dashed_name: http-request-referrer description: Referrer for this HTTP request. @@ -1722,17 +1955,15 @@ http.response.body.content: description: The full HTTP response body. example: Hello world flat_name: http.response.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text name: text - norms: false - type: text + type: match_only_text name: response.body.content normalize: [] short: The full HTTP response body. - type: keyword + type: wildcard http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -1744,6 +1975,21 @@ http.response.bytes: normalize: [] short: Total size in bytes of the response (body and headers). type: long +http.response.mime_type: + dashed_name: http-response-mime-type + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, not + on the `Content-Type` header. Comparing the mime type of a response with the response''s + Content-Type header can be helpful in detecting misconfigured servers.' + example: image/gif + flat_name: http.response.mime_type + ignore_above: 1024 + level: extended + name: response.mime_type + normalize: [] + short: Mime type of the body of the response. + type: keyword http.response.status_code: dashed_name: http-response-status-code description: HTTP response status code. @@ -1796,18 +2042,18 @@ message: level: core name: message normalize: [] - norms: false short: Log message optimized for viewing in a log viewer. - type: text + type: match_only_text network.application: dashed_name: network-application - description: 'A name given to an application level protocol. This can be arbitrarily - assigned for things like microservices, but also apply to things like skype, icq, - facebook, twitter. This would be used in situations where the vendor or service - can be decoded such as from the source/dest IP owners, ports, or wire format. + description: 'When a specific application or service is identified from network + connection details (source/dest IPs, ports, certificates, or wire format), this + field captures the application''s or service''s name. + + For example, the original event identifies the network connection being from a + specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: aim flat_name: network.application ignore_above: 1024 @@ -1846,11 +2092,17 @@ network.community_id: type: keyword network.direction: dashed_name: network-direction - description: "Direction of the network traffic.\nRecommended values are:\n * inbound\n\ - \ * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events\ - \ from a host-based monitoring context, populate this field from the host's point\ - \ of view.\nWhen mapping events from a network or perimeter-based monitoring context,\ - \ populate this field from the point of view of your network perimeter." + description: "Direction of the network traffic.\nRecommended values are:\n * ingress\n\ + \ * egress\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\ + \nWhen mapping events from a host-based monitoring context, populate this field\ + \ from the host's point of view, using the values \"ingress\" or \"egress\".\n\ + When mapping events from a network or perimeter-based monitoring context, populate\ + \ this field from the point of view of the network perimeter, using the values\ + \ \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\"\ + \ is not crossing perimeter boundaries, and is meant to describe communication\ + \ between two hosts within the perimeter. Note also that \"external\" is meant\ + \ to describe traffic between two hosts that are external to the perimeter. This\ + \ could for example be useful for ISPs or VPN service providers." example: inbound flat_name: network.direction ignore_above: 1024 @@ -1885,8 +2137,8 @@ network.iana_number: network.inner: dashed_name: network-inner description: Network.inner fields are added in addition to network.vlan fields to - describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields - include vlan.id and vlan.name. Inner vlan fields are typically used when sending + describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields + include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) flat_name: network.inner level: extended @@ -1944,25 +2196,24 @@ network.packets: type: long network.protocol: dashed_name: network-protocol - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + description: 'In the OSI Model this would be the Application Layer protocol. For + example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: http flat_name: network.protocol ignore_above: 1024 level: core name: protocol normalize: [] - short: L7 Network protocol name. + short: Application protocol name. type: keyword network.transport: dashed_name: network-transport description: 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: tcp flat_name: network.transport ignore_above: 1024 @@ -1976,8 +2227,7 @@ network.type: description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: ipv4 flat_name: network.type ignore_above: 1024 @@ -2023,14 +2273,14 @@ related.ip: type: ip related.user: dashed_name: related-user - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. flat_name: related.user ignore_above: 1024 level: extended name: user normalize: - array - short: All the user names seen on your event. + short: All the user names or other user identifiers seen on the event. type: keyword server.address: dashed_name: server-address @@ -2069,8 +2319,7 @@ server.as.organization.name: multi_fields: - flat_name: server.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -2089,13 +2338,17 @@ server.bytes: type: long server.domain: dashed_name: server-domain - description: Server domain. + description: 'The domain name of the server system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com flat_name: server.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Server domain. + short: The domain name of the server. type: keyword server.geo.city_name: dashed_name: server-geo-city-name @@ -2109,6 +2362,18 @@ server.geo.city_name: original_fieldset: geo short: City name. type: keyword +server.geo.continent_code: + dashed_name: server-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: server.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword server.geo.continent_name: dashed_name: server-geo-continent-name description: Name of the continent. @@ -2174,6 +2439,21 @@ server.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +server.geo.postal_code: + dashed_name: server-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: server.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -2198,6 +2478,18 @@ server.geo.region_name: original_fieldset: geo short: Region name. type: keyword +server.geo.timezone: + dashed_name: server-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: server.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword server.ip: dashed_name: server-ip description: IP address of the server (IPv4 or IPv6). @@ -2209,7 +2501,12 @@ server.ip: type: ip server.mac: dashed_name: server-mac - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: server.mac ignore_above: 1024 level: core @@ -2279,6 +2576,24 @@ server.registered_domain: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: keyword +server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -2330,8 +2645,7 @@ server.user.full_name: multi_fields: - flat_name: server.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -2390,6 +2704,7 @@ server.user.hash: server.user.id: dashed_name: server-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: server.user.id ignore_above: 1024 level: core @@ -2401,15 +2716,14 @@ server.user.id: server.user.name: dashed_name: server-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: server.user.name ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -2465,8 +2779,7 @@ source.as.organization.name: multi_fields: - flat_name: source.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -2485,13 +2798,17 @@ source.bytes: type: long source.domain: dashed_name: source-domain - description: Source domain. + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com flat_name: source.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Source domain. + short: The domain name of the source. type: keyword source.geo.city_name: dashed_name: source-geo-city-name @@ -2505,6 +2822,18 @@ source.geo.city_name: original_fieldset: geo short: City name. type: keyword +source.geo.continent_code: + dashed_name: source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. @@ -2570,6 +2899,21 @@ source.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +source.geo.postal_code: + dashed_name: source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -2594,6 +2938,18 @@ source.geo.region_name: original_fieldset: geo short: Region name. type: keyword +source.geo.timezone: + dashed_name: source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword source.ip: dashed_name: source-ip description: IP address of the source (IPv4 or IPv6). @@ -2605,7 +2961,12 @@ source.ip: type: ip source.mac: dashed_name: source-mac - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: source.mac ignore_above: 1024 level: core @@ -2675,6 +3036,24 @@ source.registered_domain: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: keyword +source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -2726,8 +3105,7 @@ source.user.full_name: multi_fields: - flat_name: source.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -2786,6 +3164,7 @@ source.user.hash: source.user.id: dashed_name: source-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: source.user.id ignore_above: 1024 level: core @@ -2797,15 +3176,14 @@ source.user.id: source.user.name: dashed_name: source-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: source.user.name ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -2841,7 +3219,10 @@ url.domain: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 @@ -2852,19 +3233,23 @@ url.domain: type: keyword url.extension: dashed_name: url-extension - description: 'The field contains the file extension from the original request url. + description: 'The field contains the file extension from the original request url, + excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: url.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension from the original request url. + short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: dashed_name: url-fragment @@ -2884,17 +3269,15 @@ url.full: in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full - ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text name: text - norms: false - type: text + type: match_only_text name: full normalize: [] short: Full unparsed URL. - type: keyword + type: wildcard url.original: dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -2905,17 +3288,15 @@ url.original: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original - ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text name: text - norms: false - type: text + type: match_only_text name: original normalize: [] short: Unmodified original url as seen in the event source. - type: keyword + type: wildcard url.password: dashed_name: url-password description: Password of the request. @@ -2930,12 +3311,11 @@ url.path: dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path - ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: keyword + type: wildcard url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -2993,6 +3373,24 @@ url.scheme: normalize: [] short: Scheme of the url. type: keyword +url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -3023,15 +3421,14 @@ url.username: user.name: dashed_name: user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: user.name ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] short: Short name or login of the user. @@ -3069,8 +3466,7 @@ user_agent.original: multi_fields: - flat_name: user_agent.original.text name: text - norms: false - type: text + type: match_only_text name: original normalize: [] short: Unparsed user_agent string. @@ -3097,8 +3493,7 @@ user_agent.os.full: multi_fields: - flat_name: user_agent.os.full.text name: text - norms: false - type: text + type: match_only_text name: full normalize: [] original_fieldset: os @@ -3126,8 +3521,7 @@ user_agent.os.name: multi_fields: - flat_name: user_agent.os.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: os @@ -3145,6 +3539,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/usage-example/generated/ecs/subset/web_logs/ecs_nested.yml b/usage-example/generated/ecs/subset/web_logs/ecs_nested.yml index 82675ddcfc..c17cd39703 100644 --- a/usage-example/generated/ecs/subset/web_logs/ecs_nested.yml +++ b/usage-example/generated/ecs/subset/web_logs/ecs_nested.yml @@ -125,7 +125,7 @@ base: events. These fields are common across all types of events. fields: '@timestamp': - dashed_name: -timestamp + dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when @@ -173,9 +173,8 @@ base: level: core name: message normalize: [] - norms: false short: Log message optimized for viewing in a log viewer. - type: text + type: match_only_text tags: dashed_name: tags description: List of keywords used to tag each event. @@ -249,8 +248,7 @@ client: multi_fields: - flat_name: client.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -269,13 +267,18 @@ client: type: long client.domain: dashed_name: client-domain - description: Client domain. + description: 'The domain name of the client system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com flat_name: client.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Client domain. + short: The domain name of the client. type: keyword client.geo.city_name: dashed_name: client-geo-city-name @@ -289,6 +292,18 @@ client: original_fieldset: geo short: City name. type: keyword + client.geo.continent_code: + dashed_name: client-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: client.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword client.geo.continent_name: dashed_name: client-geo-continent-name description: Name of the continent. @@ -354,6 +369,21 @@ client: original_fieldset: geo short: User-defined description of a location. type: keyword + client.geo.postal_code: + dashed_name: client-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: client.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -378,6 +408,18 @@ client: original_fieldset: geo short: Region name. type: keyword + client.geo.timezone: + dashed_name: client-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: client.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword client.ip: dashed_name: client-ip description: IP address of the client (IPv4 or IPv6). @@ -389,7 +431,13 @@ client: type: ip client.mac: dashed_name: client-mac - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: client.mac ignore_above: 1024 level: core @@ -459,6 +507,24 @@ client: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: keyword + client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -510,8 +576,7 @@ client: multi_fields: - flat_name: client.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -570,6 +635,7 @@ client: client.user.id: dashed_name: client-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: client.user.id ignore_above: 1024 level: core @@ -581,15 +647,14 @@ client: client.user.name: dashed_name: client-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: client.user.name ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -629,9 +694,15 @@ client: title: Client type: group destination: - description: 'Destination fields describe details about the destination of a packet/event. - - Destination fields are usually populated in conjunction with source fields.' + description: 'Destination fields capture details about the receiver of a network + exchange/packet. These fields are populated from a network event, packet, or other + event containing details of a network transaction. + + Destination fields are usually populated in conjunction with source fields. The + source and destination fields are considered the baseline and should always be + filled if an event contains source and destination details from a network transaction. + If the event also contains identification of the client and server roles, then + the client and server fields should also be populated.' fields: destination.address: dashed_name: destination-address @@ -670,8 +741,7 @@ destination: multi_fields: - flat_name: destination.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -690,13 +760,18 @@ destination: type: long destination.domain: dashed_name: destination-domain - description: Destination domain. + description: 'The domain name of the destination system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com flat_name: destination.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Destination domain. + short: The domain name of the destination. type: keyword destination.geo.city_name: dashed_name: destination-geo-city-name @@ -710,6 +785,18 @@ destination: original_fieldset: geo short: City name. type: keyword + destination.geo.continent_code: + dashed_name: destination-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: destination.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. @@ -775,6 +862,21 @@ destination: original_fieldset: geo short: User-defined description of a location. type: keyword + destination.geo.postal_code: + dashed_name: destination-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: destination.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -799,6 +901,18 @@ destination: original_fieldset: geo short: Region name. type: keyword + destination.geo.timezone: + dashed_name: destination-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: destination.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword destination.ip: dashed_name: destination-ip description: IP address of the destination (IPv4 or IPv6). @@ -810,7 +924,13 @@ destination: type: ip destination.mac: dashed_name: destination-mac - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: destination.mac ignore_above: 1024 level: core @@ -879,6 +999,24 @@ destination: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: keyword + destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -930,8 +1068,7 @@ destination: multi_fields: - flat_name: destination.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -990,6 +1127,7 @@ destination: destination.user.id: dashed_name: destination-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: destination.user.id ignore_above: 1024 level: core @@ -1001,15 +1139,14 @@ destination: destination.user.name: dashed_name: destination-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: destination.user.name ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -1103,6 +1240,41 @@ event: normalize: [] short: The action captured by the event. type: keyword + event.agent_id_status: + dashed_name: event-agent-id-status + description: 'Agents are normally responsible for populating the `agent.id` + field value. If the system receiving events is capable of validating the value + based on authentication information for the client then this field can be + used to reflect the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the + client cert contains the ID of the agent to which the cert was issued then + the `agent.id` value in events can be checked against the certificate. If + the values match then `event.agent_id_status: verified` is added to the event, + otherwise one of the other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from + auth metadata. + + `mismatch` - The `agent.id` field value does not match the expected value + obtained from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + flat_name: event.agent_id_status + ignore_above: 1024 + level: extended + name: agent_id_status + normalize: [] + short: Validation status of the event's agent.id field. + type: keyword event.category: allowed_values: - description: Events in this category are related to the challenge and response @@ -1115,6 +1287,19 @@ event: - end - info name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration - description: The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from @@ -1231,6 +1416,30 @@ event: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry + - description: The session category is applied to events and metrics regarding + logical persistent connections to hosts and services. Use this category + to visualize and analyze interactive or automated persistent connections + between assets. Data for this category may come from Windows Event logs, + SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session + - description: Use this category to visualize and analyze events describing + threat actors' targets, motives, or behaviors. + expected_event_types: + - indicator + name: threat - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also @@ -1384,13 +1593,23 @@ event: type: date event.kind: allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. + - description: 'This value indicates an event such as an alert or notable event, + triggered by a detection rule executing externally to the Elastic Stack. `event.kind:alert` is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and - so on.' + so on. + + This value is not used by Elastic solutions for alert documents that are + created by rules executing within the Kibana alerting framework.' name: alert + - description: 'The `enrichment` value indicates an event collected to provide + additional context, often to other events. + + An example is collecting indicators of compromise (IOCs) from a threat intelligence + provider with the intent to use those values to enrich other events. The + IOC events from the intelligence provider should be categorized as `event.kind:enrichment`.' + name: enrichment - description: This value is the most general and most common value for this field. It is used to represent events that indicate that something happened. name: event @@ -1426,14 +1645,12 @@ event: of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors. name: pipeline_error - - description: 'This value is used by the Elastic SIEM app to denote an Elasticsearch - document that was created by a SIEM detection engine rule. - - A signal will typically trigger a notification that something meaningful - happened and should be investigated. + - description: 'This value is used by Elastic solutions (e.g., Security, Observability) + for alert documents that are created by rules executing within the Kibana + alerting framework. - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' + Usage of this value is reserved, and data ingestion pipelines must not populate + `event.kind` with the value "signal".' name: signal dashed_name: event-kind description: 'This is one of four ECS Categorization Fields, and indicates the @@ -1472,15 +1689,17 @@ event: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity. + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may + be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, please see `Field data types` in the `Elasticsearch Reference`.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original - ignore_above: 1024 index: false level: core name: original @@ -1570,7 +1789,7 @@ event: dashed_name: event-reference description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 flat_name: event.reference @@ -1749,6 +1968,11 @@ event: AND event.type:creation AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.' name: group + - description: 'The indicator event type is used for the subset of events within + a category that contain details about indicators of compromise (IOCs). + + A common example is `event.category:threat AND event.type:indicator`.' + name: indicator - description: The info event type is used for the subset of events within a category that indicate that they are purely informational, and don't report a state change, or any type of action. For example, an initial run of a @@ -1774,12 +1998,6 @@ event: should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process @@ -1850,17 +2068,15 @@ http: description: The full HTTP request body. example: Hello world flat_name: http.request.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text name: text - norms: false - type: text + type: match_only_text name: request.body.content normalize: [] short: The full HTTP request body. - type: keyword + type: wildcard http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -1872,18 +2088,28 @@ http: normalize: [] short: Total size in bytes of the request (body and headers). type: long + http.request.id: + dashed_name: http-request-id + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + flat_name: http.request.id + ignore_above: 1024 + level: extended + name: request.id + normalize: [] + short: HTTP request ID. + type: keyword http.request.method: dashed_name: http-request-method description: 'HTTP request method. - Prior to ECS 1.6.0 the following guidance was provided: - - "The field value must be normalized to lowercase for querying." - - As of ECS 1.6.0, the guidance is deprecated because the original case of the - method may be useful in anomaly detection. Original case will be mandated - in ECS 2.0.0' - example: GET, POST, PUT, PoST + The value should retain its casing from the original event. For example, `GET`, + `get`, and `GeT` are all considered valid values for this field.' + example: POST flat_name: http.request.method ignore_above: 1024 level: extended @@ -1891,6 +2117,22 @@ http: normalize: [] short: HTTP request method. type: keyword + http.request.mime_type: + dashed_name: http-request-mime-type + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, + not on the `Content-Type` header. Comparing the mime type of a request with + the request''s Content-Type header can be helpful in detecting threats or + misconfigured clients.' + example: image/gif + flat_name: http.request.mime_type + ignore_above: 1024 + level: extended + name: request.mime_type + normalize: [] + short: Mime type of the body of the request. + type: keyword http.request.referrer: dashed_name: http-request-referrer description: Referrer for this HTTP request. @@ -1918,17 +2160,15 @@ http: description: The full HTTP response body. example: Hello world flat_name: http.response.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text name: text - norms: false - type: text + type: match_only_text name: response.body.content normalize: [] short: The full HTTP response body. - type: keyword + type: wildcard http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -1940,6 +2180,22 @@ http: normalize: [] short: Total size in bytes of the response (body and headers). type: long + http.response.mime_type: + dashed_name: http-response-mime-type + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, + not on the `Content-Type` header. Comparing the mime type of a response with + the response''s Content-Type header can be helpful in detecting misconfigured + servers.' + example: image/gif + flat_name: http.response.mime_type + ignore_above: 1024 + level: extended + name: response.mime_type + normalize: [] + short: Mime type of the body of the response. + type: keyword http.response.status_code: dashed_name: http-response-status-code description: HTTP response status code. @@ -1977,14 +2233,15 @@ network: fields: network.application: dashed_name: network-application - description: 'A name given to an application level protocol. This can be arbitrarily - assigned for things like microservices, but also apply to things like skype, - icq, facebook, twitter. This would be used in situations where the vendor - or service can be decoded such as from the source/dest IP owners, ports, or - wire format. - - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + description: 'When a specific application or service is identified from network + connection details (source/dest IPs, ports, certificates, or wire format), + this field captures the application''s or service''s name. + + For example, the original event identifies the network connection being from + a specific web service in a `https` network connection, like `facebook` or + `twitter`. + + The field value must be normalized to lowercase for querying.' example: aim flat_name: network.application ignore_above: 1024 @@ -2025,11 +2282,17 @@ network: network.direction: dashed_name: network-direction description: "Direction of the network traffic.\nRecommended values are:\n \ - \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ - \ mapping events from a host-based monitoring context, populate this field\ - \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ - \ monitoring context, populate this field from the point of view of your network\ - \ perimeter." + \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ + \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ + \ populate this field from the host's point of view, using the values \"ingress\"\ + \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ + \ context, populate this field from the point of view of the network perimeter,\ + \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ + .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ + \ to describe communication between two hosts within the perimeter. Note also\ + \ that \"external\" is meant to describe traffic between two hosts that are\ + \ external to the perimeter. This could for example be useful for ISPs or\ + \ VPN service providers." example: inbound flat_name: network.direction ignore_above: 1024 @@ -2064,8 +2327,8 @@ network: network.inner: dashed_name: network-inner description: Network.inner fields are added in addition to network.vlan fields - to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed - fields include vlan.id and vlan.name. Inner vlan fields are typically used + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) flat_name: network.inner @@ -2124,25 +2387,24 @@ network: type: long network.protocol: dashed_name: network-protocol - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + description: 'In the OSI Model this would be the Application Layer protocol. + For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: http flat_name: network.protocol ignore_above: 1024 level: core name: protocol normalize: [] - short: L7 Network protocol name. + short: Application protocol name. type: keyword network.transport: dashed_name: network-transport description: 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: tcp flat_name: network.transport ignore_above: 1024 @@ -2156,8 +2418,7 @@ network: description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' + The field value must be normalized to lowercase for querying.' example: ipv4 flat_name: network.type ignore_above: 1024 @@ -2231,14 +2492,14 @@ related: type: ip related.user: dashed_name: related-user - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. flat_name: related.user ignore_above: 1024 level: extended name: user normalize: - array - short: All the user names seen on your event. + short: All the user names or other user identifiers seen on the event. type: keyword group: 2 name: related @@ -2300,8 +2561,7 @@ server: multi_fields: - flat_name: server.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -2320,13 +2580,18 @@ server: type: long server.domain: dashed_name: server-domain - description: Server domain. + description: 'The domain name of the server system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com flat_name: server.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Server domain. + short: The domain name of the server. type: keyword server.geo.city_name: dashed_name: server-geo-city-name @@ -2340,6 +2605,18 @@ server: original_fieldset: geo short: City name. type: keyword + server.geo.continent_code: + dashed_name: server-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: server.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword server.geo.continent_name: dashed_name: server-geo-continent-name description: Name of the continent. @@ -2405,6 +2682,21 @@ server: original_fieldset: geo short: User-defined description of a location. type: keyword + server.geo.postal_code: + dashed_name: server-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: server.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -2429,6 +2721,18 @@ server: original_fieldset: geo short: Region name. type: keyword + server.geo.timezone: + dashed_name: server-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: server.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword server.ip: dashed_name: server-ip description: IP address of the server (IPv4 or IPv6). @@ -2440,7 +2744,13 @@ server: type: ip server.mac: dashed_name: server-mac - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: server.mac ignore_above: 1024 level: core @@ -2510,6 +2820,24 @@ server: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: keyword + server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -2561,8 +2889,7 @@ server: multi_fields: - flat_name: server.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -2621,6 +2948,7 @@ server: server.user.id: dashed_name: server-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: server.user.id ignore_above: 1024 level: core @@ -2632,15 +2960,14 @@ server: server.user.name: dashed_name: server-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: server.user.name ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -2680,9 +3007,15 @@ server: title: Server type: group source: - description: 'Source fields describe details about the source of a packet/event. - - Source fields are usually populated in conjunction with destination fields.' + description: 'Source fields capture details about the sender of a network exchange/packet. + These fields are populated from a network event, packet, or other event containing + details of a network transaction. + + Source fields are usually populated in conjunction with destination fields. The + source and destination fields are considered the baseline and should always be + filled if an event contains source and destination details from a network transaction. + If the event also contains identification of the client and server roles, then + the client and server fields should also be populated.' fields: source.address: dashed_name: source-address @@ -2721,8 +3054,7 @@ source: multi_fields: - flat_name: source.as.organization.name.text name: text - norms: false - type: text + type: match_only_text name: organization.name normalize: [] original_fieldset: as @@ -2741,13 +3073,18 @@ source: type: long source.domain: dashed_name: source-domain - description: Source domain. + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com flat_name: source.domain ignore_above: 1024 level: core name: domain normalize: [] - short: Source domain. + short: The domain name of the source. type: keyword source.geo.city_name: dashed_name: source-geo-city-name @@ -2761,6 +3098,18 @@ source: original_fieldset: geo short: City name. type: keyword + source.geo.continent_code: + dashed_name: source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. @@ -2826,6 +3175,21 @@ source: original_fieldset: geo short: User-defined description of a location. type: keyword + source.geo.postal_code: + dashed_name: source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -2850,6 +3214,18 @@ source: original_fieldset: geo short: Region name. type: keyword + source.geo.timezone: + dashed_name: source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword source.ip: dashed_name: source-ip description: IP address of the source (IPv4 or IPv6). @@ -2861,7 +3237,13 @@ source: type: ip source.mac: dashed_name: source-mac - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: source.mac ignore_above: 1024 level: core @@ -2931,6 +3313,24 @@ source: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: keyword + source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -2982,8 +3382,7 @@ source: multi_fields: - flat_name: source.user.full_name.text name: text - norms: false - type: text + type: match_only_text name: full_name normalize: [] original_fieldset: user @@ -3042,6 +3441,7 @@ source: source.user.id: dashed_name: source-user-id description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: source.user.id ignore_above: 1024 level: core @@ -3053,15 +3453,14 @@ source: source.user.name: dashed_name: source-user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: source.user.name ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: user @@ -3109,7 +3508,11 @@ url: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 @@ -3121,19 +3524,22 @@ url: url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request - url. + url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: url.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension from the original request url. + short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: dashed_name: url-fragment @@ -3154,17 +3560,15 @@ url: source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full - ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text name: text - norms: false - type: text + type: match_only_text name: full normalize: [] short: Full unparsed URL. - type: keyword + type: wildcard url.original: dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -3175,17 +3579,15 @@ url: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original - ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text name: text - norms: false - type: text + type: match_only_text name: original normalize: [] short: Unmodified original url as seen in the event source. - type: keyword + type: wildcard url.password: dashed_name: url-password description: Password of the request. @@ -3200,12 +3602,11 @@ url: dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path - ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: keyword + type: wildcard url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -3263,6 +3664,24 @@ url: normalize: [] short: Scheme of the url. type: keyword + url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -3293,6 +3712,16 @@ url: group: 2 name: url prefix: url. + reusable: + expected: + - as: url + at: threat.indicator + full: threat.indicator.url + - as: url + at: threat.enrichments.indicator + beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.indicator.url + top_level: true short: Fields that let you store URLs in various forms. title: URL type: group @@ -3306,15 +3735,14 @@ user: user.name: dashed_name: user-name description: Short name or login of the user. - example: albert + example: a.einstein flat_name: user.name ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] short: Short name or login of the user. @@ -3322,7 +3750,10 @@ user: group: 2 name: user nestings: + - user.changes + - user.effective - user.group + - user.target prefix: user. reusable: expected: @@ -3332,20 +3763,38 @@ user: - as: user at: destination full: destination.user - - as: user - at: host - full: host.user - as: user at: server full: server.user - as: user at: source full: source.user + - as: target + at: user + full: user.target + short_override: Targeted user of action taken. + - as: effective + at: user + full: user.effective + short_override: User whose privileges were assumed. + - as: changes + at: user + full: user.changes + short_override: Captures changes made to a user. top_level: true reused_here: - full: user.group schema_name: group short: User's group relevant to the event. + - full: user.target + schema_name: user + short: Targeted user of action taken. + - full: user.effective + schema_name: user + short: User whose privileges were assumed. + - full: user.changes + schema_name: user + short: Captures changes made to a user. short: Fields to describe the user relevant to the event. title: User type: group @@ -3387,8 +3836,7 @@ user_agent: multi_fields: - flat_name: user_agent.original.text name: text - norms: false - type: text + type: match_only_text name: original normalize: [] short: Unparsed user_agent string. @@ -3415,8 +3863,7 @@ user_agent: multi_fields: - flat_name: user_agent.os.full.text name: text - norms: false - type: text + type: match_only_text name: full normalize: [] original_fieldset: os @@ -3444,8 +3891,7 @@ user_agent: multi_fields: - flat_name: user_agent.os.name.text name: text - norms: false - type: text + type: match_only_text name: name normalize: [] original_fieldset: os @@ -3463,6 +3909,26 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/usage-example/generated/elasticsearch/6/template.json b/usage-example/generated/elasticsearch/6/template.json deleted file mode 100644 index 7501b7f94e..0000000000 --- a/usage-example/generated/elasticsearch/6/template.json +++ /dev/null @@ -1,1158 +0,0 @@ -{ - "index_patterns": [ - "acme-weblogs-*" - ], - "mappings": { - "_doc": { - "_meta": { - "version": "1.6.0" - }, - "date_detection": false, - "dynamic_templates": [ - { - "strings_as_keyword": { - "mapping": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "@timestamp": { - "type": "date" - }, - "acme": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "message": { - "norms": false, - "type": "text" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "related": { - "properties": { - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "order": 1, - "settings": { - "index": { - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": 1000 - } - }, - "refresh_interval": "2s" - } - } -} diff --git a/usage-example/generated/elasticsearch/composable/component/acme.json b/usage-example/generated/elasticsearch/composable/component/acme.json new file mode 100644 index 0000000000..684d8076c4 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/acme.json @@ -0,0 +1,23 @@ +{ + "_meta": { + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "acme": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/agent.json b/usage-example/generated/elasticsearch/composable/component/agent.json new file mode 100644 index 0000000000..66365f2261 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/agent.json @@ -0,0 +1,44 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/base.json b/usage-example/generated/elasticsearch/composable/component/base.json new file mode 100644 index 0000000000..cebc9c2971 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/base.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/client.json b/usage-example/generated/elasticsearch/composable/component/client.json new file mode 100644 index 0000000000..cd14e25cd9 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/client.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/destination.json b/usage-example/generated/elasticsearch/composable/component/destination.json new file mode 100644 index 0000000000..ea4394b285 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/destination.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/ecs.json b/usage-example/generated/elasticsearch/composable/component/ecs.json new file mode 100644 index 0000000000..4182382330 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/ecs.json @@ -0,0 +1,20 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/event.json b/usage-example/generated/elasticsearch/composable/component/event.json new file mode 100644 index 0000000000..d710b3d0a9 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/event.json @@ -0,0 +1,112 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/http.json b/usage-example/generated/elasticsearch/composable/component/http.json new file mode 100644 index 0000000000..ec21145d16 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/http.json @@ -0,0 +1,87 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/network.json b/usage-example/generated/elasticsearch/composable/component/network.json new file mode 100644 index 0000000000..700f9da342 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/network.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/related.json b/usage-example/generated/elasticsearch/composable/component/related.json new file mode 100644 index 0000000000..ded786759c --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/related.json @@ -0,0 +1,23 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "related": { + "properties": { + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/server.json b/usage-example/generated/elasticsearch/composable/component/server.json new file mode 100644 index 0000000000..a4ea5f1bfd --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/server.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/source.json b/usage-example/generated/elasticsearch/composable/component/source.json new file mode 100644 index 0000000000..43cccc9d48 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/source.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/url.json b/usage-example/generated/elasticsearch/composable/component/url.json new file mode 100644 index 0000000000..ff2abe30ca --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/url.json @@ -0,0 +1,78 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/user.json b/usage-example/generated/elasticsearch/composable/component/user.json new file mode 100644 index 0000000000..0177c79ad4 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/user.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "user": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/component/user_agent.json b/usage-example/generated/elasticsearch/composable/component/user_agent.json new file mode 100644 index 0000000000..562d46033a --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/component/user_agent.json @@ -0,0 +1,83 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", + "ecs_version": "8.0.0" + }, + "template": { + "mappings": { + "properties": { + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/composable/template.json b/usage-example/generated/elasticsearch/composable/template.json new file mode 100644 index 0000000000..ea07114b25 --- /dev/null +++ b/usage-example/generated/elasticsearch/composable/template.json @@ -0,0 +1,62 @@ +{ + "_meta": { + "description": "Sample composable template that includes all ECS fields", + "ecs_version": "8.0.0" + }, + "composed_of": [ + "ecs_8.0.0_acme", + "ecs_8.0.0_base", + "ecs_8.0.0_ecs", + "ecs_8.0.0_event", + "ecs_8.0.0_user_agent", + "ecs_8.0.0_url", + "ecs_8.0.0_http", + "ecs_8.0.0_user", + "ecs_8.0.0_network", + "ecs_8.0.0_related", + "ecs_8.0.0_source", + "ecs_8.0.0_destination", + "ecs_8.0.0_client", + "ecs_8.0.0_server", + "ecs_8.0.0_agent" + ], + "index_patterns": [ + "acme-weblogs-*" + ], + "priority": 1, + "template": { + "mappings": { + "_meta": { + "version": "8.0.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ] + }, + "settings": { + "index": { + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": 2000 + } + } + } + } + } +} diff --git a/usage-example/generated/elasticsearch/7/template.json b/usage-example/generated/elasticsearch/legacy/template.json similarity index 88% rename from usage-example/generated/elasticsearch/7/template.json rename to usage-example/generated/elasticsearch/legacy/template.json index ee4a84b7f6..04b7ee36be 100644 --- a/usage-example/generated/elasticsearch/7/template.json +++ b/usage-example/generated/elasticsearch/legacy/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "1.6.0" + "version": "8.0.0" }, "date_detection": false, "dynamic_templates": [ @@ -88,8 +88,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -112,6 +111,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -131,6 +134,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -138,6 +145,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -168,6 +179,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -185,8 +200,7 @@ "full_name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -219,8 +233,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -250,8 +263,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -274,6 +286,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -293,6 +309,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -300,6 +320,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -330,6 +354,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -347,8 +375,7 @@ "full_name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -381,8 +408,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -410,6 +436,10 @@ "ignore_above": 1024, "type": "keyword" }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, "category": { "ignore_above": 1024, "type": "keyword" @@ -452,7 +482,6 @@ }, "original": { "doc_values": false, - "ignore_above": 1024, "index": false, "type": "keyword" }, @@ -513,22 +542,28 @@ "content": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, "bytes": { "type": "long" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "method": { "ignore_above": 1024, "type": "keyword" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "referrer": { "ignore_above": 1024, "type": "keyword" @@ -545,18 +580,20 @@ "content": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, "bytes": { "type": "long" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "status_code": { "type": "long" } @@ -572,8 +609,7 @@ "type": "object" }, "message": { - "norms": false, - "type": "text" + "type": "match_only_text" }, "network": { "properties": { @@ -676,8 +712,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -700,6 +735,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -719,6 +758,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -726,6 +769,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -756,6 +803,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -773,8 +824,7 @@ "full_name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -807,8 +857,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -838,8 +887,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -862,6 +910,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -881,6 +933,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -888,6 +944,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -918,6 +978,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -935,8 +999,7 @@ "full_name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -969,8 +1032,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -1005,30 +1067,25 @@ "full": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "original": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "password": { "ignore_above": 1024, "type": "keyword" }, "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "port": { "type": "long" @@ -1045,6 +1102,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -1060,8 +1121,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -1086,8 +1146,7 @@ "original": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -1102,8 +1161,7 @@ "full": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -1116,8 +1174,7 @@ "name": { "fields": { "text": { - "norms": false, - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -1127,6 +1184,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword"