From a35a903e8d907fb251742ceb032a31e2e96eceb0 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 8 Jul 2019 08:15:54 -0400 Subject: [PATCH] Add Autonomous System (AS) fields (#341) This adds fields for Autonomous System (AS) information. It's common to enrich events containing IP addresses with information about the AS controlling that address. --- CHANGELOG.next.md | 2 +- code/go/ecs/as.go | 33 ++++++ docs/field-details.asciidoc | 70 ++++++++++++ docs/fields.asciidoc | 2 + generated/beats/fields.ecs.yml | 69 ++++++++++++ generated/csv/fields.csv | 10 ++ generated/ecs/ecs_flat.yml | 113 ++++++++++++++++++++ generated/ecs/ecs_nested.yml | 136 ++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 75 +++++++++++++ generated/elasticsearch/7/template.json | 75 +++++++++++++ generated/legacy/template.json | 15 +++ schemas/as.yml | 34 ++++++ scripts/cmd/gocodegen/gocodegen.go | 2 +- 13 files changed, 634 insertions(+), 2 deletions(-) create mode 100644 code/go/ecs/as.go create mode 100644 schemas/as.yml diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 566419cdd9..ca7307fcd1 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -14,7 +14,7 @@ * Added `file.created`, and `file.accessed`. #445 * Added `domain` field to user. #486 * Added `.nat.ip` and `.nat.port` to `source`, `destination`, `client` and `server`. #491 - +* Added `as` fields for Autonomous System information (i.e. ASN). #341 ### Improvements diff --git a/code/go/ecs/as.go b/code/go/ecs/as.go new file mode 100644 index 0000000000..32451693f6 --- /dev/null +++ b/code/go/ecs/as.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// An autonomous system (AS) is a collection of connected Internet Protocol +// (IP) routing prefixes under the control of one or more network operators on +// behalf of a single administrative entity or domain that presents a common, +// clearly defined routing policy to the internet. +type AS struct { + // Unique number allocated to the autonomous system. The autonomous system + // number (ASN) uniquely identifies each network on the Internet. + Number int64 `ecs:"number"` + + // Organization name. + OrganizationName string `ecs:"organization.name"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index ea66e4843d..dfc98e7b69 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -154,6 +154,52 @@ example: `6.0.0-rc2` |===== +[[ecs-as]] +=== Autonomous System Fields + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + +==== Autonomous System Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| as.number +| Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: `15169` + +| extended + +// =============================================================== + +| as.organization.name +| Organization name. + +type: keyword + +example: `Google LLC` + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + +The `as` fields are expected to be nested at: `client.as`, `destination.as`, `server.as`, `source.as`. + +Note also that the `as` fields are not expected to be used directly at the top level. + + + + [[ecs-client]] === Client Fields @@ -295,6 +341,12 @@ type: long // =============================================================== +| <> +| Fields describing an Autonomous System (Internet routing prefix). + +// =============================================================== + + | <> | Fields describing a location. @@ -625,6 +677,12 @@ type: long // =============================================================== +| <> +| Fields describing an Autonomous System (Internet routing prefix). + +// =============================================================== + + | <> | Fields describing a location. @@ -2563,6 +2621,12 @@ type: long // =============================================================== +| <> +| Fields describing an Autonomous System (Internet routing prefix). + +// =============================================================== + + | <> | Fields describing a location. @@ -2817,6 +2881,12 @@ type: long // =============================================================== +| <> +| Fields describing an Autonomous System (Internet routing prefix). + +// =============================================================== + + | <> | Fields describing a location. diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 2436c746e2..558536f14c 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -22,6 +22,8 @@ all fields are defined. | <> | Fields about the monitoring agent. +| <> | Fields describing an Autonomous System (Internet routing prefix). + | <> | Fields about the client side of a network connection, used with server. | <> | Fields about the cloud resource. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 2f0c747e69..49594579c0 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -110,6 +110,27 @@ ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 + - name: as + title: Autonomous System + group: 2 + description: An autonomous system (AS) is a collection of connected Internet Protocol + (IP) routing prefixes under the control of one or more network operators on + behalf of a single administrative entity or domain that presents a common, clearly + defined routing policy to the internet. + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: client title: Client group: 2 @@ -140,6 +161,18 @@ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: bytes level: core type: long @@ -403,6 +436,18 @@ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: bytes level: core type: long @@ -1816,6 +1861,18 @@ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: bytes level: core type: long @@ -2053,6 +2110,18 @@ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: keyword + ignore_above: 1024 + description: Organization name. + example: Google LLC - name: bytes level: core type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 1a2fa1cafa..a64ef4e425 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -8,7 +8,11 @@ agent.id,keyword,core,8a4f500d,1.1.0-dev agent.name,keyword,core,foo,1.1.0-dev agent.type,keyword,core,filebeat,1.1.0-dev agent.version,keyword,core,6.0.0-rc2,1.1.0-dev +as.number,long,extended,15169,1.1.0-dev +as.organization.name,keyword,extended,Google LLC,1.1.0-dev client.address,keyword,extended,,1.1.0-dev +client.as.number,long,extended,15169,1.1.0-dev +client.as.organization.name,keyword,extended,Google LLC,1.1.0-dev client.bytes,long,core,184,1.1.0-dev client.domain,keyword,core,,1.1.0-dev client.geo.city_name,keyword,core,Montreal,1.1.0-dev @@ -47,6 +51,8 @@ container.labels,object,extended,,1.1.0-dev container.name,keyword,extended,,1.1.0-dev container.runtime,keyword,extended,docker,1.1.0-dev destination.address,keyword,extended,,1.1.0-dev +destination.as.number,long,extended,15169,1.1.0-dev +destination.as.organization.name,keyword,extended,Google LLC,1.1.0-dev destination.bytes,long,core,184,1.1.0-dev destination.domain,keyword,core,,1.1.0-dev destination.geo.city_name,keyword,core,Montreal,1.1.0-dev @@ -231,6 +237,8 @@ process.uptime,long,extended,1325,1.1.0-dev process.working_directory,keyword,extended,/home/alice,1.1.0-dev related.ip,ip,extended,,1.1.0-dev server.address,keyword,extended,,1.1.0-dev +server.as.number,long,extended,15169,1.1.0-dev +server.as.organization.name,keyword,extended,Google LLC,1.1.0-dev server.bytes,long,core,184,1.1.0-dev server.domain,keyword,core,,1.1.0-dev server.geo.city_name,keyword,core,Montreal,1.1.0-dev @@ -262,6 +270,8 @@ service.state,keyword,core,,1.1.0-dev service.type,keyword,core,elasticsearch,1.1.0-dev service.version,keyword,core,3.2.4,1.1.0-dev source.address,keyword,extended,,1.1.0-dev +source.as.number,long,extended,15169,1.1.0-dev +source.as.organization.name,keyword,extended,Google LLC,1.1.0-dev source.bytes,long,core,184,1.1.0-dev source.domain,keyword,core,,1.1.0-dev source.geo.city_name,keyword,core,Montreal,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d7780bf756..c40bc406b7 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -80,6 +80,27 @@ agent.version: order: 0 short: Version of the agent. type: keyword +as.number: + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: as.number + level: extended + name: number + order: 0 + short: Unique number allocated to the autonomous system. The autonomous system number + (ASN) uniquely identifies each network on the Internet. + type: long +as.organization.name: + description: Organization name. + example: Google LLC + flat_name: as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + short: Organization name. + type: keyword client.address: description: 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the @@ -94,6 +115,29 @@ client.address: order: 0 short: Client network address. type: keyword +client.as.number: + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: client.as.number + level: extended + name: number + order: 0 + original_fieldset: as + short: Unique number allocated to the autonomous system. The autonomous system number + (ASN) uniquely identifies each network on the Internet. + type: long +client.as.organization.name: + description: Organization name. + example: Google LLC + flat_name: client.as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + original_fieldset: as + short: Organization name. + type: keyword client.bytes: description: Bytes sent from the client to the server. example: 184 @@ -496,6 +540,29 @@ destination.address: order: 0 short: Destination network address. type: keyword +destination.as.number: + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: destination.as.number + level: extended + name: number + order: 0 + original_fieldset: as + short: Unique number allocated to the autonomous system. The autonomous system number + (ASN) uniquely identifies each network on the Internet. + type: long +destination.as.organization.name: + description: Organization name. + example: Google LLC + flat_name: destination.as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + original_fieldset: as + short: Organization name. + type: keyword destination.bytes: description: Bytes sent from the destination to the source. example: 184 @@ -2559,6 +2626,29 @@ server.address: order: 0 short: Server network address. type: keyword +server.as.number: + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: server.as.number + level: extended + name: number + order: 0 + original_fieldset: as + short: Unique number allocated to the autonomous system. The autonomous system number + (ASN) uniquely identifies each network on the Internet. + type: long +server.as.organization.name: + description: Organization name. + example: Google LLC + flat_name: server.as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + original_fieldset: as + short: Organization name. + type: keyword server.bytes: description: Bytes sent from the server to the client. example: 184 @@ -2919,6 +3009,29 @@ source.address: order: 0 short: Source network address. type: keyword +source.as.number: + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: source.as.number + level: extended + name: number + order: 0 + original_fieldset: as + short: Unique number allocated to the autonomous system. The autonomous system number + (ASN) uniquely identifies each network on the Internet. + type: long +source.as.organization.name: + description: Organization name. + example: Google LLC + flat_name: source.as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + original_fieldset: as + short: Organization name. + type: keyword source.bytes: description: Bytes sent from the source to the destination. example: 184 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index e2ab03d846..4190752d06 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -81,6 +81,46 @@ agent: short: Fields about the monitoring agent. title: Agent type: group +as: + description: An autonomous system (AS) is a collection of connected Internet Protocol + (IP) routing prefixes under the control of one or more network operators on behalf + of a single administrative entity or domain that presents a common, clearly defined + routing policy to the internet. + fields: + number: + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: as.number + level: extended + name: number + order: 0 + short: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + type: long + organization.name: + description: Organization name. + example: Google LLC + flat_name: as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + short: Organization name. + type: keyword + group: 2 + name: as + prefix: as. + reusable: + expected: + - client + - destination + - server + - source + top_level: false + short: Fields describing an Autonomous System (Internet routing prefix). + title: Autonomous System + type: group base: description: The `base` field set contains all fields which are on the top level. These fields are common across all types of events. @@ -184,6 +224,29 @@ client: order: 0 short: Client network address. type: keyword + as.number: + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: client.as.number + level: extended + name: number + order: 0 + original_fieldset: as + short: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + type: long + as.organization.name: + description: Organization name. + example: Google LLC + flat_name: client.as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + original_fieldset: as + short: Organization name. + type: keyword bytes: description: Bytes sent from the client to the server. example: 184 @@ -448,6 +511,7 @@ client: name: client nestings: - geo + - as - user prefix: client. short: Fields about the client side of a network connection, used with server. @@ -627,6 +691,29 @@ destination: order: 0 short: Destination network address. type: keyword + as.number: + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: destination.as.number + level: extended + name: number + order: 0 + original_fieldset: as + short: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + type: long + as.organization.name: + description: Organization name. + example: Google LLC + flat_name: destination.as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + original_fieldset: as + short: Organization name. + type: keyword bytes: description: Bytes sent from the destination to the source. example: 184 @@ -890,6 +977,7 @@ destination: name: destination nestings: - geo + - as - user prefix: destination. short: Fields about the destination side of a network connection, used with source. @@ -2934,6 +3022,29 @@ server: order: 0 short: Server network address. type: keyword + as.number: + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: server.as.number + level: extended + name: number + order: 0 + original_fieldset: as + short: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + type: long + as.organization.name: + description: Organization name. + example: Google LLC + flat_name: server.as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + original_fieldset: as + short: Organization name. + type: keyword bytes: description: Bytes sent from the server to the client. example: 184 @@ -3198,6 +3309,7 @@ server: name: server nestings: - geo + - as - user prefix: server. short: Fields about the server side of a network connection, used with client. @@ -3320,6 +3432,29 @@ source: order: 0 short: Source network address. type: keyword + as.number: + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: source.as.number + level: extended + name: number + order: 0 + original_fieldset: as + short: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + type: long + as.organization.name: + description: Organization name. + example: Google LLC + flat_name: source.as.organization.name + ignore_above: 1024 + level: extended + name: organization.name + order: 1 + original_fieldset: as + short: Organization name. + type: keyword bytes: description: Bytes sent from the source to the destination. example: 184 @@ -3584,6 +3719,7 @@ source: name: source nestings: - geo + - as - user prefix: source. short: Fields about the source side of a network connection, used with destination. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 6eb3ce6017..a650fa8a55 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -47,12 +47,42 @@ } } }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "client": { "properties": { "address": { "ignore_above": 1024, "type": "keyword" }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "bytes": { "type": "long" }, @@ -241,6 +271,21 @@ "ignore_above": 1024, "type": "keyword" }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "bytes": { "type": "long" }, @@ -1083,6 +1128,21 @@ "ignore_above": 1024, "type": "keyword" }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "bytes": { "type": "long" }, @@ -1224,6 +1284,21 @@ "ignore_above": 1024, "type": "keyword" }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "bytes": { "type": "long" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index d1b0d01fb7..44d6789f57 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -46,12 +46,42 @@ } } }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "client": { "properties": { "address": { "ignore_above": 1024, "type": "keyword" }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "bytes": { "type": "long" }, @@ -240,6 +270,21 @@ "ignore_above": 1024, "type": "keyword" }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "bytes": { "type": "long" }, @@ -1082,6 +1127,21 @@ "ignore_above": 1024, "type": "keyword" }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "bytes": { "type": "long" }, @@ -1223,6 +1283,21 @@ "ignore_above": 1024, "type": "keyword" }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "bytes": { "type": "long" }, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index 6ae297ea41..1fc0f80a84 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -47,6 +47,21 @@ } } }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "client": { "properties": { "address": { diff --git a/schemas/as.yml b/schemas/as.yml new file mode 100644 index 0000000000..9a4643ecc6 --- /dev/null +++ b/schemas/as.yml @@ -0,0 +1,34 @@ +--- +- name: as + title: Autonomous System + group: 2 + short: Fields describing an Autonomous System (Internet routing prefix). + description: > + An autonomous system (AS) is a collection of connected Internet Protocol + (IP) routing prefixes under the control of one or more network operators on + behalf of a single administrative entity or domain that presents a common, + clearly defined routing policy to the internet. + reusable: + top_level: false + expected: + - client + - destination + - server + - source + type: group + fields: + + - name: number + level: extended + type: long + description: > + Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + + - name: organization.name + level: extended + type: keyword + description: > + Organization name. + example: Google LLC diff --git a/scripts/cmd/gocodegen/gocodegen.go b/scripts/cmd/gocodegen/gocodegen.go index 652d4dd9f1..f2fbd59124 100644 --- a/scripts/cmd/gocodegen/gocodegen.go +++ b/scripts/cmd/gocodegen/gocodegen.go @@ -295,7 +295,7 @@ func goDataType(fieldName, elasticsearchDataType string) string { // abbreviations capitalizes common abbreviations. func abbreviations(abv string) string { switch strings.ToLower(abv) { - case "id", "ppid", "pid", "pgid", "mac", "ip", "iana", "uid", "ecs": + case "id", "ppid", "pid", "pgid", "mac", "ip", "iana", "uid", "ecs", "as": return strings.ToUpper(abv) default: return abv