From cffcdc5a852339c15bc786198008845969a51653 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 20 Mar 2019 10:28:27 -0400 Subject: [PATCH] Wrap long definitions to less than 100 chars per line. (#389) --- README.md | 2 +- generated/beats/fields.ecs.yml | 2 +- generated/ecs/fields_nested.yml | 4 +-- generated/legacy/fields.yml | 60 ++++++++++++++++++++++++++------- schema.json | 2 +- schemas/client.yml | 11 ++++-- schemas/event.yml | 10 +++++- schemas/file.yml | 4 ++- schemas/host.yml | 4 ++- schemas/observer.yml | 11 ++++-- schemas/related.yml | 5 ++- schemas/server.yml | 11 ++++-- 12 files changed, 99 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 2b3695430..1a2339d12 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,7 @@ Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index ed33bb8e6..f9b022f39 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -121,7 +121,7 @@ or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually - populated in conjunction with server fields. Client fields are generally not + populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which diff --git a/generated/ecs/fields_nested.yml b/generated/ecs/fields_nested.yml index 27a7d0e97..a3079e545 100644 --- a/generated/ecs/fields_nested.yml +++ b/generated/ecs/fields_nested.yml @@ -162,8 +162,8 @@ client: in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated - in conjunction with server fields. Client fields are generally not populated - for packet-level events. + in conjunction with server fields. Client fields are generally not populated for + packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls diff --git a/generated/legacy/fields.yml b/generated/legacy/fields.yml index fb935dc0d..190057c65 100644 --- a/generated/legacy/fields.yml +++ b/generated/legacy/fields.yml @@ -145,9 +145,16 @@ description: > A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. - For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. - - Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). + For other protocols, the client is generally the initiator or requestor in the network transaction. + Some systems use the term "originator" to refer the client in TCP connections. + The client fields describe details about the system acting as the client in the network event. + Client fields are usually populated in conjunction with server fields. + Client fields are generally not populated for packet-level events. + + Client / server representations can add semantic context to an exchange, + which is helpful to visualize the data in certain situations. + If your context falls in that category, you should still ensure that source and destination are filled appropriately. type: group fields: @@ -450,7 +457,15 @@ description: > The event fields are used for context information about the log or metric event itself. - A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. + Examples of log events include a process starting on a host, + a network packet being sent from a source to a destination, + or a network connection between a client and a server being initiated or closed. + A metric is defined as an event containing one or more numerical or + categorical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host, + or vulnerabilities measured on a scanned host. type: group fields: @@ -666,7 +681,9 @@ description: > A file is defined as a set of information that has been created on, or has existed on a filesystem. - File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + File objects can be associated with host events, network events, + and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). + File fields provide details about the affected file associated with the event or metric. type: group fields: @@ -866,7 +883,9 @@ description: > A host is defined as a general computing instance. - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + ECS host.* fields should be populated with details about the host on which + the event happened, or from which the measurement was taken. + Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. type: group fields: @@ -1200,9 +1219,16 @@ group: 2 short: Fields describing an entity observing the event from outside the host. description: > - An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. - - This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + An observer is defined as a special network, security, or application device + used to detect, observe, or create network, security, or application-related events and metrics. + + This could be a custom hardware appliance or a server that has been configured + to run special network, security, or application software. + Examples include firewalls, intrusion detection/prevention systems, + network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. + The observer.* fields shall be populated with details of the system, if any, + that detects, observes and/or creates a network, security, or application event or metric. + Message queues and ETL components used in processing events or metrics are not considered observers in ECS. type: group fields: - name: mac @@ -1422,7 +1448,10 @@ To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. - A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. + A concrete example is IP addresses, which can be under host, observer, source, + destination, client, server, and network.forwarded_ip. + If you append all IPs to `related.ip`, you can then search for a given IP trivially, + no matter where it appeared, by querying `related.ip:a.b.c.d`. type: group fields: @@ -1439,9 +1468,16 @@ description: > A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. - For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. + For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. + For other protocols, the server is generally the responder in the network transaction. + Some systems actually use the term "responder" to refer the server in TCP connections. + The server fields describe details about the system acting as the server in the network event. + Server fields are usually populated in conjunction with client fields. + Server fields are generally not populated for packet-level events. - Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + Client / server representations can add semantic context to an exchange, + which is helpful to visualize the data in certain situations. + If your context falls in that category, you should still ensure that source and destination are filled appropriately. type: group fields: diff --git a/schema.json b/schema.json index 4540165d1..a00cc38ae 100644 --- a/schema.json +++ b/schema.json @@ -108,7 +108,7 @@ "type": "group" }, "client": { - "description": "A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.\nFor TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term \"originator\" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.\nClient / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.\n", + "description": "A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.\nFor TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term \"originator\" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.\nClient / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.\n", "fields": { "client.address": { "description": "Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.", diff --git a/schemas/client.yml b/schemas/client.yml index 986bd3222..97d92172a 100644 --- a/schemas/client.yml +++ b/schemas/client.yml @@ -6,9 +6,16 @@ description: > A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. - For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. + For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). + For other protocols, the client is generally the initiator or requestor in the network transaction. + Some systems use the term "originator" to refer the client in TCP connections. + The client fields describe details about the system acting as the client in the network event. + Client fields are usually populated in conjunction with server fields. + Client fields are generally not populated for packet-level events. - Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + Client / server representations can add semantic context to an exchange, + which is helpful to visualize the data in certain situations. + If your context falls in that category, you should still ensure that source and destination are filled appropriately. type: group fields: diff --git a/schemas/event.yml b/schemas/event.yml index aa16008d7..37b8288e6 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -6,7 +6,15 @@ description: > The event fields are used for context information about the log or metric event itself. - A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. + Examples of log events include a process starting on a host, + a network packet being sent from a source to a destination, + or a network connection between a client and a server being initiated or closed. + A metric is defined as an event containing one or more numerical or + categorical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host, + or vulnerabilities measured on a scanned host. type: group fields: diff --git a/schemas/file.yml b/schemas/file.yml index 5aa6166c2..f3d767a27 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -6,7 +6,9 @@ description: > A file is defined as a set of information that has been created on, or has existed on a filesystem. - File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + File objects can be associated with host events, network events, + and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). + File fields provide details about the affected file associated with the event or metric. type: group fields: diff --git a/schemas/host.yml b/schemas/host.yml index 34a959514..d2349b06f 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -6,7 +6,9 @@ description: > A host is defined as a general computing instance. - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + ECS host.* fields should be populated with details about the host on which + the event happened, or from which the measurement was taken. + Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. type: group fields: diff --git a/schemas/observer.yml b/schemas/observer.yml index 9fcd3adc5..56dfd9438 100644 --- a/schemas/observer.yml +++ b/schemas/observer.yml @@ -4,9 +4,16 @@ group: 2 short: Fields describing an entity observing the event from outside the host. description: > - An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. + An observer is defined as a special network, security, or application device + used to detect, observe, or create network, security, or application-related events and metrics. - This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + This could be a custom hardware appliance or a server that has been configured + to run special network, security, or application software. + Examples include firewalls, intrusion detection/prevention systems, + network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. + The observer.* fields shall be populated with details of the system, if any, + that detects, observes and/or creates a network, security, or application event or metric. + Message queues and ETL components used in processing events or metrics are not considered observers in ECS. type: group fields: - name: mac diff --git a/schemas/related.yml b/schemas/related.yml index a55ac2183..fa5b337c2 100644 --- a/schemas/related.yml +++ b/schemas/related.yml @@ -10,7 +10,10 @@ To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. - A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. + A concrete example is IP addresses, which can be under host, observer, source, + destination, client, server, and network.forwarded_ip. + If you append all IPs to `related.ip`, you can then search for a given IP trivially, + no matter where it appeared, by querying `related.ip:a.b.c.d`. type: group fields: diff --git a/schemas/server.yml b/schemas/server.yml index dc69adbd2..9c4f6ab60 100644 --- a/schemas/server.yml +++ b/schemas/server.yml @@ -6,9 +6,16 @@ description: > A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. - For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. + For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. + For other protocols, the server is generally the responder in the network transaction. + Some systems actually use the term "responder" to refer the server in TCP connections. + The server fields describe details about the system acting as the server in the network event. + Server fields are usually populated in conjunction with client fields. + Server fields are generally not populated for packet-level events. - Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + Client / server representations can add semantic context to an exchange, + which is helpful to visualize the data in certain situations. + If your context falls in that category, you should still ensure that source and destination are filled appropriately. type: group fields: