diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 54ae430335..6d9738be17 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -26,6 +26,7 @@ Thanks, you're awesome :-) --> * Expanded field set definitions for `source.*` and `destination.*`. #967 * Provided better guidance for mapping network events. #969 +* Added the field `.subdomain` under `client`, `destination`, `server`, `source` and `url`, to match its presence at `dns.question.subdomain`. #981 #### Deprecated diff --git a/code/go/ecs/client.go b/code/go/ecs/client.go index 2e11982755..9c6336d4bf 100644 --- a/code/go/ecs/client.go +++ b/code/go/ecs/client.go @@ -70,6 +70,17 @@ type Client struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Bytes sent from the client to the server. Bytes int64 `ecs:"bytes"` diff --git a/code/go/ecs/destination.go b/code/go/ecs/destination.go index e3417e5bb9..1985e8720b 100644 --- a/code/go/ecs/destination.go +++ b/code/go/ecs/destination.go @@ -66,6 +66,17 @@ type Destination struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Bytes sent from the destination to the source. Bytes int64 `ecs:"bytes"` diff --git a/code/go/ecs/server.go b/code/go/ecs/server.go index 74253bbb72..bc395a115c 100644 --- a/code/go/ecs/server.go +++ b/code/go/ecs/server.go @@ -70,6 +70,17 @@ type Server struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Bytes sent from the server to the client. Bytes int64 `ecs:"bytes"` diff --git a/code/go/ecs/source.go b/code/go/ecs/source.go index f8ab84d581..3e4becbbbd 100644 --- a/code/go/ecs/source.go +++ b/code/go/ecs/source.go @@ -66,6 +66,17 @@ type Source struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Bytes sent from the source to the destination. Bytes int64 `ecs:"bytes"` diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go index 7afac8f4ba..6c1ac3be75 100644 --- a/code/go/ecs/url.go +++ b/code/go/ecs/url.go @@ -62,6 +62,17 @@ type Url struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Port of the request, such as 443. Port int64 `ecs:"port"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index d13a5896c5..b716165642 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -407,6 +407,21 @@ example: `example.com` // =============================================================== +| client.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -967,6 +982,21 @@ example: `example.com` // =============================================================== +| destination.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -5058,6 +5088,21 @@ example: `example.com` // =============================================================== +| server.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -5397,6 +5442,21 @@ example: `example.com` // =============================================================== +| source.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -6321,6 +6381,21 @@ example: `https` // =============================================================== +| url.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 573abe8499..150ee1d911 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -302,6 +302,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -709,6 +723,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -4105,6 +4133,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -4427,6 +4469,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -5337,6 +5393,20 @@ Note: The `:` is not part of the scheme.' example: https + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 5b56c77a2a..baa380bfb8 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -30,6 +30,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. 1.7.0-dev,true,client,client.port,long,core,,,Port of the client. 1.7.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.7.0-dev,true,client,client.user.email,keyword,extended,,,User email address. @@ -80,6 +81,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. 1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination. 1.7.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.7.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. @@ -478,6 +480,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. 1.7.0-dev,true,server,server.port,long,core,,,Port of the server. 1.7.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.7.0-dev,true,server,server.user.email,keyword,extended,,,User email address. @@ -519,6 +522,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. 1.7.0-dev,true,source,source.port,long,core,,,Port of the source. 1.7.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.7.0-dev,true,source,source.user.email,keyword,extended,,,User email address. @@ -637,6 +641,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. 1.7.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request. 1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 64540cebfe..a209023534 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -348,6 +348,24 @@ client.registered_domain: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: keyword +client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -925,6 +943,24 @@ destination.registered_domain: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: keyword +destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -6144,6 +6180,24 @@ server.registered_domain: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: keyword +server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -6652,6 +6706,24 @@ source.registered_domain: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: keyword +source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -8124,6 +8196,24 @@ url.scheme: normalize: [] short: Scheme of the url. type: keyword +url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index ee213ac0c8..2189a64503 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -494,6 +494,24 @@ client: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: keyword + client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -1213,6 +1231,24 @@ destination: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: keyword + destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -7281,6 +7317,24 @@ server: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: keyword + server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -7833,6 +7887,24 @@ source: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: keyword + source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -9374,6 +9446,24 @@ url: normalize: [] short: Scheme of the url. type: keyword + url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index b16d3576ce..493159d4b3 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -151,6 +151,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -404,6 +408,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2254,6 +2262,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2452,6 +2464,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -3013,6 +3029,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 08071d1b91..b63f3af1c7 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -150,6 +150,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -403,6 +407,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2253,6 +2261,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2451,6 +2463,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -3012,6 +3028,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/client.yml b/schemas/client.yml index ec6175f692..e63ab70276 100644 --- a/schemas/client.yml +++ b/schemas/client.yml @@ -85,6 +85,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + # Metrics - name: bytes format: bytes diff --git a/schemas/destination.yml b/schemas/destination.yml index 42d3e154d5..a1e91958f7 100644 --- a/schemas/destination.yml +++ b/schemas/destination.yml @@ -80,6 +80,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + # Metrics - name: bytes format: bytes diff --git a/schemas/server.yml b/schemas/server.yml index 19fee450be..867b3bd03c 100644 --- a/schemas/server.yml +++ b/schemas/server.yml @@ -85,6 +85,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + # Metrics - name: bytes format: bytes diff --git a/schemas/source.yml b/schemas/source.yml index 65539b3d60..268b975312 100644 --- a/schemas/source.yml +++ b/schemas/source.yml @@ -80,6 +80,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + # Metrics - name: bytes format: bytes diff --git a/schemas/url.yml b/schemas/url.yml index 6ae2b572f2..8a523fbc8d 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -88,6 +88,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + - name: port format: string level: extended