diff --git a/experimental/generated/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml similarity index 97% rename from experimental/generated/generated/beats/fields.ecs.yml rename to experimental/generated/beats/fields.ecs.yml index 9161f83279..0ee843e805 100644 --- a/experimental/generated/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -296,6 +296,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -696,6 +710,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -917,8 +945,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -1297,7 +1324,7 @@ but it can be retrieved from `_source`.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - index: true + index: false - name: outcome level: core type: keyword @@ -1664,8 +1691,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -2285,8 +2311,7 @@ default_field: false - name: request.referrer level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes @@ -2543,11 +2568,17 @@ type: keyword ignore_above: 1024 description: "Direction of the network traffic.\nRecommended values are:\n \ - \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ - \ mapping events from a host-based monitoring context, populate this field\ - \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ - \ monitoring context, populate this field from the point of view of your network\ - \ perimeter." + \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ + \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ + \ populate this field from the host's point of view, using the values \"ingress\"\ + \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ + \ context, populate this field from the point of view of the network perimeter,\ + \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ + .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ + \ to describe communication between two hosts within the perimeter. Note also\ + \ that \"external\" is meant to describe traffic between two hosts that are\ + \ external to the perimeter. This could for example be useful for ISPs or\ + \ VPN service providers." example: inbound - name: forwarded_ip level: core @@ -2566,8 +2597,8 @@ level: extended type: object description: Network.inner fields are added in addition to network.vlan fields - to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed - fields include vlan.id and vlan.name. Inner vlan fields are typically used + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) default_field: false @@ -3138,8 +3169,7 @@ default_field: false - name: original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3290,8 +3320,7 @@ description: SHA512 hash. - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3436,8 +3465,7 @@ default_field: false - name: parent.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3488,8 +3516,7 @@ default_field: false - name: parent.pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3609,8 +3636,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -4033,6 +4059,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -4348,6 +4388,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -5242,6 +5296,20 @@ Note: The `:` is not part of the scheme.' example: https + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword diff --git a/experimental/generated/generated/csv/fields.csv b/experimental/generated/csv/fields.csv similarity index 98% rename from experimental/generated/generated/csv/fields.csv rename to experimental/generated/csv/fields.csv index 2371cca84d..c7fc56ab27 100644 --- a/experimental/generated/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -30,6 +30,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. 2.0.0-dev,true,client,client.port,long,core,,,Port of the client. 2.0.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +2.0.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. 2.0.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 2.0.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. 2.0.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. @@ -80,6 +81,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. 2.0.0-dev,true,destination,destination.port,long,core,,,Port of the destination. 2.0.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +2.0.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. 2.0.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 2.0.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. 2.0.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. @@ -109,7 +111,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 2.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 2.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 2.0.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. @@ -147,7 +149,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. 2.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. 2.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -2.0.0-dev,true,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +2.0.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. 2.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. 2.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. 2.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" @@ -192,7 +194,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 2.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 2.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. 2.0.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. @@ -269,7 +271,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). 2.0.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. 2.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -2.0.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +2.0.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. 2.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. 2.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. 2.0.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. @@ -378,7 +380,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 2.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. 2.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. +2.0.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. 2.0.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. 2.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 2.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. @@ -397,14 +399,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 2.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. 2.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. +2.0.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. 2.0.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. 2.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 2.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 2.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 2.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 2.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 2.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. @@ -422,7 +424,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 2.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 2.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 2.0.0-dev,true,process,process.pid,long,core,,4242,Process id. @@ -477,6 +479,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. 2.0.0-dev,true,server,server.port,long,core,,,Port of the server. 2.0.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +2.0.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. 2.0.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 2.0.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. 2.0.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. @@ -518,6 +521,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. 2.0.0-dev,true,source,source.port,long,core,,,Port of the source. 2.0.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +2.0.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. 2.0.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 2.0.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. 2.0.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. @@ -636,6 +640,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. 2.0.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 2.0.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. 2.0.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 2.0.0-dev,true,url,url.username,keyword,extended,,,Username of the request. 2.0.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. diff --git a/experimental/generated/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml similarity index 98% rename from experimental/generated/generated/ecs/ecs_flat.yml rename to experimental/generated/ecs/ecs_flat.yml index adcbe8d26a..5f27925261 100644 --- a/experimental/generated/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -343,6 +343,24 @@ client.registered_domain: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: wildcard +client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -913,6 +931,24 @@ destination.registered_domain: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: wildcard +destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -1264,13 +1300,12 @@ dll.pe.original_file_name: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1984,7 +2019,7 @@ event.original: example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original - index: true + index: false level: core name: original normalize: [] @@ -2693,13 +2728,12 @@ file.pe.original_file_name: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -3587,12 +3621,11 @@ http.request.referrer: description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer - ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: keyword + type: wildcard http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -3927,11 +3960,17 @@ network.community_id: type: keyword network.direction: dashed_name: network-direction - description: "Direction of the network traffic.\nRecommended values are:\n * inbound\n\ - \ * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events\ - \ from a host-based monitoring context, populate this field from the host's point\ - \ of view.\nWhen mapping events from a network or perimeter-based monitoring context,\ - \ populate this field from the point of view of your network perimeter." + description: "Direction of the network traffic.\nRecommended values are:\n * ingress\n\ + \ * egress\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\ + \nWhen mapping events from a host-based monitoring context, populate this field\ + \ from the host's point of view, using the values \"ingress\" or \"egress\".\n\ + When mapping events from a network or perimeter-based monitoring context, populate\ + \ this field from the point of view of the network perimeter, using the values\ + \ \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\"\ + \ is not crossing perimeter boundaries, and is meant to describe communication\ + \ between two hosts within the perimeter. Note also that \"external\" is meant\ + \ to describe traffic between two hosts that are external to the perimeter. This\ + \ could for example be useful for ISPs or VPN service providers." example: inbound flat_name: network.direction ignore_above: 1024 @@ -3966,8 +4005,8 @@ network.iana_number: network.inner: dashed_name: network-inner description: Network.inner fields are added in addition to network.vlan fields to - describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields - include vlan.id and vlan.name. Inner vlan fields are typically used when sending + describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields + include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) flat_name: network.inner level: extended @@ -4933,7 +4972,6 @@ process.name: Sometimes called program name or similar.' example: ssh flat_name: process.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -4943,7 +4981,7 @@ process.name: name: name normalize: [] short: Process name. - type: keyword + type: wildcard process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to the @@ -5163,7 +5201,6 @@ process.parent.name: Sometimes called program name or similar.' example: ssh flat_name: process.parent.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -5174,7 +5211,7 @@ process.parent.name: normalize: [] original_fieldset: process short: Process name. - type: keyword + type: wildcard process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -5244,13 +5281,12 @@ process.parent.pe.original_file_name: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -5447,13 +5483,12 @@ process.pe.original_file_name: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -6069,6 +6104,24 @@ server.registered_domain: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: wildcard +server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -6570,6 +6623,24 @@ source.registered_domain: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: wildcard +source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -8026,6 +8097,24 @@ url.scheme: normalize: [] short: Scheme of the url. type: keyword +url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, diff --git a/experimental/generated/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml similarity index 98% rename from experimental/generated/generated/ecs/ecs_nested.yml rename to experimental/generated/ecs/ecs_nested.yml index c43ea2e9b2..1c40d63dfd 100644 --- a/experimental/generated/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -488,6 +488,24 @@ client: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: wildcard + client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -1200,6 +1218,24 @@ destination: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: wildcard + destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -1585,13 +1621,12 @@ dll: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -2382,7 +2417,7 @@ event: example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original - index: true + index: false level: core name: original normalize: [] @@ -3116,13 +3151,12 @@ file: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -4277,12 +4311,11 @@ http: description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer - ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: keyword + type: wildcard http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -4674,11 +4707,17 @@ network: network.direction: dashed_name: network-direction description: "Direction of the network traffic.\nRecommended values are:\n \ - \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ - \ mapping events from a host-based monitoring context, populate this field\ - \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ - \ monitoring context, populate this field from the point of view of your network\ - \ perimeter." + \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ + \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ + \ populate this field from the host's point of view, using the values \"ingress\"\ + \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ + \ context, populate this field from the point of view of the network perimeter,\ + \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ + .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ + \ to describe communication between two hosts within the perimeter. Note also\ + \ that \"external\" is meant to describe traffic between two hosts that are\ + \ external to the perimeter. This could for example be useful for ISPs or\ + \ VPN service providers." example: inbound flat_name: network.direction ignore_above: 1024 @@ -4713,8 +4752,8 @@ network: network.inner: dashed_name: network-inner description: Network.inner fields are added in addition to network.vlan fields - to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed - fields include vlan.id and vlan.name. Inner vlan fields are typically used + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) flat_name: network.inner @@ -5721,12 +5760,11 @@ pe: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard pe.product: dashed_name: pe-product description: Internal product name of the file, provided at compile-time. @@ -5976,7 +6014,6 @@ process: Sometimes called program name or similar.' example: ssh flat_name: process.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -5986,7 +6023,7 @@ process: name: name normalize: [] short: Process name. - type: keyword + type: wildcard process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to @@ -6206,7 +6243,6 @@ process: Sometimes called program name or similar.' example: ssh flat_name: process.parent.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -6217,7 +6253,7 @@ process: normalize: [] original_fieldset: process short: Process name. - type: keyword + type: wildcard process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -6287,13 +6323,12 @@ process: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -6490,13 +6525,12 @@ process: description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -7202,6 +7236,24 @@ server: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: wildcard + server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -7747,6 +7799,24 @@ source: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: wildcard + source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -9272,6 +9342,24 @@ url: normalize: [] short: Scheme of the url. type: keyword + url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain diff --git a/experimental/generated/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json similarity index 99% rename from experimental/generated/generated/elasticsearch/7/template.json rename to experimental/generated/elasticsearch/7/template.json index 8b2df2781e..c4cded14d5 100644 --- a/experimental/generated/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -145,6 +145,10 @@ "registered_domain": { "type": "wildcard" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -391,6 +395,10 @@ "registered_domain": { "type": "wildcard" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -528,8 +536,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -698,6 +705,8 @@ "type": "keyword" }, "original": { + "doc_values": false, + "index": false, "type": "wildcard" }, "outcome": { @@ -879,8 +888,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -1228,8 +1236,7 @@ "type": "keyword" }, "referrer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1761,8 +1768,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "parent": { "properties": { @@ -1846,8 +1852,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -1872,8 +1877,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -1950,8 +1954,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -2193,6 +2196,10 @@ "registered_domain": { "type": "wildcard" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2384,6 +2391,10 @@ "registered_domain": { "type": "wildcard" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2929,6 +2940,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword"