[Documentation] Update Nesting Docs to Include Threat Indicator Fieldset

[peasead]

Summary

With the creation of the threat.indicator.* fieldset, there are updates needed for the nesting guidance for as.* and geo.* to allow those fieldsets to be nested under threat.indicator.*

Motivation:

Traditionally, threat information provided via a feed is non-directional (example: bad_asn:AS12345 vs. bad_source_asn:AS12345). This is replicated for Geographic information, if this is included, it may identify where the atomic indicator is located (geo.country_iso_code:CA vs. bad_source_geo.country_iso_code), but not if it is the source or destination. These fields are traditionally functionally-aligned and are nested under source.* and destination.*; however threat information generally doesn't have a direction assigned, so as.* and geo.* should be allowed under threat.indicator.*

Detailed Design:

Provide additional details around the design of the proposed changes.

PR will be needed to update the documentation at:

• https://github.com/elastic/ecs/blob/master/schemas/as.yml

Field Reuse
The as fields are expected to be nested at: client.as, destination.as, server.as, source.as, threat.indicator.

Note also that the as fields are not expected to be used directly at the root of the events.

• https://github.com/elastic/ecs/blob/master/schemas/geo.yml

Field Reuse
The geo fields are expected to be nested at: client.geo, destination.geo, host.geo, observer.geo, server.geo, source.geo, threat.indicator.

Note also that the geo fields are not expected to be used directly at the root of the events.

Related:
Threat Indicator Fieldset Issue

[peasead]

@ebeahan just checking if there is an action for me on this?

[ebeahan]

After the stage 2 changes were added, the reuses now appear in the ECS docs (under the 1.11 branch, for now): https://www.elastic.co/guide/en/ecs/1.11/ecs-threat.html#_field_reuse_21

[peasead]

@ebeahan is this issue still needed? The docs look to be updated.

[ebeahan]

We can close.