Add os.type field

CHANGELOG.next.md

@@ -18,6 +18,7 @@ Thanks, you're awesome :-) -->
 
 * Added `event.category` "registry". #1040
 * Added `event.category` "session". #1049
+* Added `os.commercial_family`. #1111
 
 #### Improvements
 

docs/field-details.asciidoc

@@ -3853,6 +3853,21 @@ The OS fields contain information about the operating system.
 
 // ===============================================================
 
+| os.commercial_family
+| Categorize the operating system in one of the broad commercial families.
+
+One of these following values should be used (lowercase): linux, macos, unix, windows.
+
+type: keyword
+
+
+
+example: `macos`
+
+| extended
+
+// ===============================================================
+
 | os.family
 | OS family (such as redhat, debian, freebsd, windows).
 

experimental/generated/beats/fields.ecs.yml

@@ -2131,6 +2131,17 @@
         It can contain what `hostname` returns on Unix systems, the fully qualified
         domain name, or a name specified by the user. The sender decides which value
         to use.'
+    - name: os.commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      default_field: false
     - name: os.family
       level: extended
       type: keyword
@@ -2879,6 +2890,17 @@
 
         If no custom name is needed, the field can be left empty.'
       example: 1_proxySG
+    - name: os.commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      default_field: false
     - name: os.family
       level: extended
       type: keyword
@@ -2984,6 +3006,17 @@
     description: The OS fields contain information about the operating system.
     type: group
     fields:
+    - name: commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      default_field: false
     - name: family
       level: extended
       type: keyword
@@ -5666,6 +5699,17 @@
       description: Unparsed user_agent string.
       example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
         (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+    - name: os.commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      default_field: false
     - name: os.family
       level: extended
       type: keyword

experimental/generated/csv/fields.csv

@@ -243,6 +243,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
 2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
 2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+2.0.0-dev,true,host,host.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 2.0.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
@@ -334,6 +335,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
 2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
 2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+2.0.0-dev,true,observer,observer.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 2.0.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
@@ -695,6 +697,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
 2.0.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
 2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+2.0.0-dev,true,user_agent,user_agent.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 2.0.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."

experimental/generated/ecs/ecs_flat.yml

@@ -3337,6 +3337,21 @@ host.name:
   normalize: []
   short: Name of the host.
   type: keyword
+host.os.commercial_family:
+  dashed_name: host-os-commercial-family
+  description: 'Categorize the operating system in one of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.'
+  example: macos
+  flat_name: host.os.commercial_family
+  ignore_above: 1024
+  level: extended
+  name: commercial_family
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 host.os.family:
   dashed_name: host-os-family
   description: OS family (such as redhat, debian, freebsd, windows).
@@ -4473,6 +4488,21 @@ observer.name:
   normalize: []
   short: Custom name of the observer.
   type: keyword
+observer.os.commercial_family:
+  dashed_name: observer-os-commercial-family
+  description: 'Categorize the operating system in one of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.'
+  example: macos
+  flat_name: observer.os.commercial_family
+  ignore_above: 1024
+  level: extended
+  name: commercial_family
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 observer.os.family:
   dashed_name: observer-os-family
   description: OS family (such as redhat, debian, freebsd, windows).
@@ -8710,6 +8740,21 @@ user_agent.original:
   normalize: []
   short: Unparsed user_agent string.
   type: wildcard
+user_agent.os.commercial_family:
+  dashed_name: user-agent-os-commercial-family
+  description: 'Categorize the operating system in one of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.'
+  example: macos
+  flat_name: user_agent.os.commercial_family
+  ignore_above: 1024
+  level: extended
+  name: commercial_family
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 user_agent.os.family:
   dashed_name: user-agent-os-family
   description: OS family (such as redhat, debian, freebsd, windows).

experimental/generated/ecs/ecs_nested.yml

@@ -4000,6 +4000,22 @@ host:
       normalize: []
       short: Name of the host.
       type: keyword
+    host.os.commercial_family:
+      dashed_name: host-os-commercial-family
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      flat_name: host.os.commercial_family
+      ignore_above: 1024
+      level: extended
+      name: commercial_family
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     host.os.family:
       dashed_name: host-os-family
       description: OS family (such as redhat, debian, freebsd, windows).
@@ -5253,6 +5269,22 @@ observer:
       normalize: []
       short: Custom name of the observer.
       type: keyword
+    observer.os.commercial_family:
+      dashed_name: observer-os-commercial-family
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      flat_name: observer.os.commercial_family
+      ignore_above: 1024
+      level: extended
+      name: commercial_family
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     observer.os.family:
       dashed_name: observer-os-family
       description: OS family (such as redhat, debian, freebsd, windows).
@@ -5461,6 +5493,21 @@ organization:
 os:
   description: The OS fields contain information about the operating system.
   fields:
+    os.commercial_family:
+      dashed_name: os-commercial-family
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      flat_name: os.commercial_family
+      ignore_above: 1024
+      level: extended
+      name: commercial_family
+      normalize: []
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     os.family:
       dashed_name: os-family
       description: OS family (such as redhat, debian, freebsd, windows).
@@ -10024,6 +10071,22 @@ user_agent:
       normalize: []
       short: Unparsed user_agent string.
       type: wildcard
+    user_agent.os.commercial_family:
+      dashed_name: user-agent-os-commercial-family
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      flat_name: user_agent.os.commercial_family
+      ignore_above: 1024
+      level: extended
+      name: commercial_family
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     user_agent.os.family:
       dashed_name: user-agent-os-family
       description: OS family (such as redhat, debian, freebsd, windows).

experimental/generated/elasticsearch/7/template.json

@@ -1103,6 +1103,10 @@
           },
           "os": {
             "properties": {
+              "commercial_family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "family": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1558,6 +1562,10 @@
           },
           "os": {
             "properties": {
+              "commercial_family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "family": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3206,6 +3214,10 @@
           },
           "os": {
             "properties": {
+              "commercial_family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "family": {
                 "ignore_above": 1024,
                 "type": "keyword"

generated/beats/fields.ecs.yml

@@ -2174,6 +2174,17 @@
         It can contain what `hostname` returns on Unix systems, the fully qualified
         domain name, or a name specified by the user. The sender decides which value
         to use.'
+    - name: os.commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      default_field: false
     - name: os.family
       level: extended
       type: keyword
@@ -2933,6 +2944,17 @@
 
         If no custom name is needed, the field can be left empty.'
       example: 1_proxySG
+    - name: os.commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      default_field: false
     - name: os.family
       level: extended
       type: keyword
@@ -3041,6 +3063,17 @@
     description: The OS fields contain information about the operating system.
     type: group
     fields:
+    - name: commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      default_field: false
     - name: family
       level: extended
       type: keyword
@@ -5546,6 +5579,17 @@
       description: Unparsed user_agent string.
       example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
         (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+    - name: os.commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.'
+      example: macos
+      default_field: false
     - name: os.family
       level: extended
       type: keyword