Skip to content

Commit

Permalink
update experimental artifacts
Browse files Browse the repository at this point in the history
  • Loading branch information
@ebeahan
ebeahan committed Oct 2, 2020
1 parent 9d844d4 commit 8e889f8
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 71 deletions.
26 changes: 9 additions & 17 deletions experimental/generated/beats/fields.ecs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -917,8 +917,7 @@
default_field: false
- name: pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
type: wildcard
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
Expand Down Expand Up @@ -1297,7 +1296,7 @@
but it can be retrieved from `_source`.'
example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|
worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
index: true
index: false
- name: outcome
level: core
type: keyword
Expand Down Expand Up @@ -1664,8 +1663,7 @@
default_field: false
- name: pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
type: wildcard
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
Expand Down Expand Up @@ -2285,8 +2283,7 @@
default_field: false
- name: request.referrer
level: extended
type: keyword
ignore_above: 1024
type: wildcard
description: Referrer for this HTTP request.
example: https://blog.example.com/
- name: response.body.bytes
Expand Down Expand Up @@ -3138,8 +3135,7 @@
default_field: false
- name: original_file_name
level: extended
type: keyword
ignore_above: 1024
type: wildcard
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
Expand Down Expand Up @@ -3290,8 +3286,7 @@
description: SHA512 hash.
- name: name
level: extended
type: keyword
ignore_above: 1024
type: wildcard
multi_fields:
- name: text
type: text
Expand Down Expand Up @@ -3436,8 +3431,7 @@
default_field: false
- name: parent.name
level: extended
type: keyword
ignore_above: 1024
type: wildcard
multi_fields:
- name: text
type: text
Expand Down Expand Up @@ -3488,8 +3482,7 @@
default_field: false
- name: parent.pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
type: wildcard
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
Expand Down Expand Up @@ -3609,8 +3602,7 @@
default_field: false
- name: pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
type: wildcard
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
Expand Down
16 changes: 8 additions & 8 deletions experimental/generated/csv/fields.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
2.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
2.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
2.0.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
2.0.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
2.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
2.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
2.0.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
Expand Down Expand Up @@ -147,7 +147,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
2.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
2.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
2.0.0-dev,true,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
2.0.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
2.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
2.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
2.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
Expand Down Expand Up @@ -192,7 +192,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
2.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
2.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
2.0.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
2.0.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
2.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
2.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
2.0.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
Expand Down Expand Up @@ -269,7 +269,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
2.0.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
2.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
2.0.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
2.0.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
2.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
2.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
2.0.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
Expand Down Expand Up @@ -378,7 +378,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
2.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
2.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
2.0.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
2.0.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
2.0.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
2.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
2.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
Expand All @@ -397,14 +397,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
2.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
2.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
2.0.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
2.0.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
2.0.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
2.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
2.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
2.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
2.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
2.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
2.0.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
2.0.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
2.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
2.0.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
2.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
Expand All @@ -422,7 +422,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
2.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
2.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
2.0.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
2.0.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
2.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
2.0.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
2.0.0-dev,true,process,process.pid,long,core,,4242,Process id.
Expand Down
23 changes: 8 additions & 15 deletions experimental/generated/ecs/ecs_flat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1264,13 +1264,12 @@ dll.pe.original_file_name:
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
flat_name: dll.pe.original_file_name
ignore_above: 1024
level: extended
name: original_file_name
normalize: []
original_fieldset: pe
short: Internal name of the file, provided at compile-time.
type: keyword
type: wildcard
dll.pe.product:
dashed_name: dll-pe-product
description: Internal product name of the file, provided at compile-time.
Expand Down Expand Up @@ -1984,7 +1983,7 @@ event.original:
example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|
worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
flat_name: event.original
index: true
index: false
level: core
name: original
normalize: []
Expand Down Expand Up @@ -2693,13 +2692,12 @@ file.pe.original_file_name:
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
flat_name: file.pe.original_file_name
ignore_above: 1024
level: extended
name: original_file_name
normalize: []
original_fieldset: pe
short: Internal name of the file, provided at compile-time.
type: keyword
type: wildcard
file.pe.product:
dashed_name: file-pe-product
description: Internal product name of the file, provided at compile-time.
Expand Down Expand Up @@ -3587,12 +3585,11 @@ http.request.referrer:
description: Referrer for this HTTP request.
example: https://blog.example.com/
flat_name: http.request.referrer
ignore_above: 1024
level: extended
name: request.referrer
normalize: []
short: Referrer for this HTTP request.
type: keyword
type: wildcard
http.response.body.bytes:
dashed_name: http-response-body-bytes
description: Size in bytes of the response body.
Expand Down Expand Up @@ -4933,7 +4930,6 @@ process.name:
Sometimes called program name or similar.'
example: ssh
flat_name: process.name
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.name.text
Expand All @@ -4943,7 +4939,7 @@ process.name:
name: name
normalize: []
short: Process name.
type: keyword
type: wildcard
process.parent.args:
dashed_name: process-parent-args
description: 'Array of process arguments, starting with the absolute path to the
Expand Down Expand Up @@ -5163,7 +5159,6 @@ process.parent.name:
Sometimes called program name or similar.'
example: ssh
flat_name: process.parent.name
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.parent.name.text
Expand All @@ -5174,7 +5169,7 @@ process.parent.name:
normalize: []
original_fieldset: process
short: Process name.
type: keyword
type: wildcard
process.parent.pe.architecture:
dashed_name: process-parent-pe-architecture
description: CPU architecture target for the file.
Expand Down Expand Up @@ -5244,13 +5239,12 @@ process.parent.pe.original_file_name:
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
flat_name: process.parent.pe.original_file_name
ignore_above: 1024
level: extended
name: original_file_name
normalize: []
original_fieldset: pe
short: Internal name of the file, provided at compile-time.
type: keyword
type: wildcard
process.parent.pe.product:
dashed_name: process-parent-pe-product
description: Internal product name of the file, provided at compile-time.
Expand Down Expand Up @@ -5447,13 +5441,12 @@ process.pe.original_file_name:
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
flat_name: process.pe.original_file_name
ignore_above: 1024
level: extended
name: original_file_name
normalize: []
original_fieldset: pe
short: Internal name of the file, provided at compile-time.
type: keyword
type: wildcard
process.pe.product:
dashed_name: process-pe-product
description: Internal product name of the file, provided at compile-time.
Expand Down
Loading

0 comments on commit 8e889f8

Please sign in to comment.