From 8e889f80af6353be4eddcd8571cde86f7295fc8a Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Fri, 2 Oct 2020 16:58:13 -0500 Subject: [PATCH] update experimental artifacts --- experimental/generated/beats/fields.ecs.yml | 26 +++++++------------ experimental/generated/csv/fields.csv | 16 ++++++------ experimental/generated/ecs/ecs_flat.yml | 23 ++++++---------- experimental/generated/ecs/ecs_nested.yml | 26 +++++++------------ .../generated/elasticsearch/7/template.json | 23 +++++++--------- 5 files changed, 43 insertions(+), 71 deletions(-) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 9161f83279..67ae7fac53 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -917,8 +917,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -1297,7 +1296,7 @@ but it can be retrieved from `_source`.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - index: true + index: false - name: outcome level: core type: keyword @@ -1664,8 +1663,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -2285,8 +2283,7 @@ default_field: false - name: request.referrer level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes @@ -3138,8 +3135,7 @@ default_field: false - name: original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3290,8 +3286,7 @@ description: SHA512 hash. - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3436,8 +3431,7 @@ default_field: false - name: parent.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3488,8 +3482,7 @@ default_field: false - name: parent.pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3609,8 +3602,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2371cca84d..de0428f48c 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -109,7 +109,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 2.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 2.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 2.0.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. @@ -147,7 +147,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. 2.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. 2.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -2.0.0-dev,true,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +2.0.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. 2.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. 2.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. 2.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" @@ -192,7 +192,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 2.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 2.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. 2.0.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. @@ -269,7 +269,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). 2.0.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. 2.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -2.0.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +2.0.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. 2.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. 2.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. 2.0.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. @@ -378,7 +378,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 2.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. 2.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. +2.0.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. 2.0.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. 2.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 2.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. @@ -397,14 +397,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 2.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. 2.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. +2.0.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. 2.0.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. 2.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 2.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 2.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 2.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 2.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 2.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. @@ -422,7 +422,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 2.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 2.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 2.0.0-dev,true,process,process.pid,long,core,,4242,Process id. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index adcbe8d26a..070228482b 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1264,13 +1264,12 @@ dll.pe.original_file_name: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1984,7 +1983,7 @@ event.original: example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original - index: true + index: false level: core name: original normalize: [] @@ -2693,13 +2692,12 @@ file.pe.original_file_name: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -3587,12 +3585,11 @@ http.request.referrer: description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer - ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: keyword + type: wildcard http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -4933,7 +4930,6 @@ process.name: Sometimes called program name or similar.' example: ssh flat_name: process.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -4943,7 +4939,7 @@ process.name: name: name normalize: [] short: Process name. - type: keyword + type: wildcard process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to the @@ -5163,7 +5159,6 @@ process.parent.name: Sometimes called program name or similar.' example: ssh flat_name: process.parent.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -5174,7 +5169,7 @@ process.parent.name: normalize: [] original_fieldset: process short: Process name. - type: keyword + type: wildcard process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -5244,13 +5239,12 @@ process.parent.pe.original_file_name: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -5447,13 +5441,12 @@ process.pe.original_file_name: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index c43ea2e9b2..f132af0a91 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1585,13 +1585,12 @@ dll: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -2382,7 +2381,7 @@ event: example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original - index: true + index: false level: core name: original normalize: [] @@ -3116,13 +3115,12 @@ file: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -4277,12 +4275,11 @@ http: description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer - ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: keyword + type: wildcard http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -5721,12 +5718,11 @@ pe: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard pe.product: dashed_name: pe-product description: Internal product name of the file, provided at compile-time. @@ -5976,7 +5972,6 @@ process: Sometimes called program name or similar.' example: ssh flat_name: process.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -5986,7 +5981,7 @@ process: name: name normalize: [] short: Process name. - type: keyword + type: wildcard process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to @@ -6206,7 +6201,6 @@ process: Sometimes called program name or similar.' example: ssh flat_name: process.parent.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -6217,7 +6211,7 @@ process: normalize: [] original_fieldset: process short: Process name. - type: keyword + type: wildcard process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -6287,13 +6281,12 @@ process: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -6490,13 +6483,12 @@ process: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 8b2df2781e..bd243ca133 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -528,8 +528,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -698,6 +697,8 @@ "type": "keyword" }, "original": { + "doc_values": false, + "index": false, "type": "wildcard" }, "outcome": { @@ -879,8 +880,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -1228,8 +1228,7 @@ "type": "keyword" }, "referrer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1761,8 +1760,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "parent": { "properties": { @@ -1846,8 +1844,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -1872,8 +1869,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -1950,8 +1946,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024,