From 43a2e53563b05777d7e58b3ce798a5cdb5386282 Mon Sep 17 00:00:00 2001 From: Anabella Cristaldi <33020901+janniten@users.noreply.github.com> Date: Tue, 17 Dec 2019 14:44:37 +0100 Subject: [PATCH] Added related.user field (#694) --- CHANGELOG.next.md | 1 + code/go/ecs/related.go | 3 +++ docs/field-details.asciidoc | 11 +++++++++++ generated/beats/fields.ecs.yml | 5 +++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 10 ++++++++++ generated/ecs/ecs_nested.yml | 10 ++++++++++ generated/elasticsearch/6/template.json | 4 ++++ generated/elasticsearch/7/template.json | 4 ++++ schemas/related.yml | 6 ++++++ 10 files changed, 55 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 90dfe91226..0e0d3757b8 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,7 @@ Thanks, you're awesome :-) --> * Added `rule` fields. #665 * Added default `text` analyzer as a multi-field to around 25 more fields. #680 * Added `registry.*` fieldset for the Windows registry. #673 +* Added `related.user` #694 #### Improvements diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go index 43fea9347e..492701d029 100644 --- a/code/go/ecs/related.go +++ b/code/go/ecs/related.go @@ -30,4 +30,7 @@ package ecs type Related struct { // All of the IPs seen on your event. IP string `ecs:"ip"` + + // All the user names seen on your event. + User string `ecs:"user"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index da3b4375b9..fae0329206 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3641,6 +3641,17 @@ type: ip +| extended + +// =============================================================== + +| related.user +| All the user names seen on your event. + +type: keyword + + + | extended // =============================================================== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 8c39f9a22d..56f69dfb5f 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2657,6 +2657,11 @@ level: extended type: ip description: All of the IPs seen on your event. + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. - name: rule title: Rule group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 310499bde5..67594df0c0 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -350,6 +350,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.4.0-dev,true,registry,registry.path,keyword,core,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 1.4.0-dev,true,registry,registry.value,keyword,core,Debugger,Name of the value written. 1.4.0-dev,true,related,related.ip,ip,extended,,All of the IPs seen on your event. +1.4.0-dev,true,related,related.user,keyword,extended,,All the user names seen on your event. 1.4.0-dev,true,rule,rule.category,keyword,extended,Attempted Information Leak,Rule category 1.4.0-dev,true,rule,rule.description,keyword,extended,Block requests to public DNS over HTTPS / TLS protocols,Rule description 1.4.0-dev,true,rule,rule.id,keyword,extended,101,Rule ID diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d9ffea8e34..2aba16350b 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -4142,6 +4142,16 @@ related.ip: order: 0 short: All of the IPs seen on your event. type: ip +related.user: + dashed_name: related-user + description: All the user names seen on your event. + flat_name: related.user + ignore_above: 1024 + level: extended + name: user + order: 1 + short: All the user names seen on your event. + type: keyword rule.category: dashed_name: rule-category description: A categorization value keyword used by the entity using the rule for diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index d143132f2b..9f25ed658f 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4563,6 +4563,16 @@ related: order: 0 short: All of the IPs seen on your event. type: ip + user: + dashed_name: related-user + description: All the user names seen on your event. + flat_name: related.user + ignore_above: 1024 + level: extended + name: user + order: 1 + short: All the user names seen on your event. + type: keyword group: 2 name: related prefix: related. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 37d2226b69..93628ac71a 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1664,6 +1664,10 @@ "properties": { "ip": { "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index ff3ad98a9a..053d9ae09e 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1663,6 +1663,10 @@ "properties": { "ip": { "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/schemas/related.yml b/schemas/related.yml index fa5b337c24..9470c4fa79 100644 --- a/schemas/related.yml +++ b/schemas/related.yml @@ -22,3 +22,9 @@ type: ip description: > All of the IPs seen on your event. + + - name: user + level: extended + type: keyword + description: > + All the user names seen on your event.