Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Extend Threat Fieldset - Stage 2 Proposal #1395

Merged
merged 10 commits into from
May 25, 2021
Merged

[RFC] Extend Threat Fieldset - Stage 2 Proposal #1395

merged 10 commits into from
May 25, 2021

Conversation

peasead
Copy link
Contributor

@peasead peasead commented May 5, 2021
edited
Loading

  • Have you signed the contributor license agreement? Yes
  • Have you followed the contributor guidelines? Yes
  • For proposing substantial changes or additions to the schema, have you reviewed the RFC process? Yes
  • If submitting code/script changes, have you verified all tests pass locally using make test? Yes
  • If submitting schema/fields updates, have you generated new artifacts by running make and committed those changes? Yes
  • Is your pull request against master? Unless there is a good reason otherwise, we prefer pull requests against master and will backport as needed. Yes
  • Have you added an entry to the CHANGELOG.next.md? Yes

Preview of the markdown proposal doc

Stage 2 Criteria

  • Opened pull request for this draft revising the existing proposal
  • Completed field definitions
  • Included a real world example source document
  • Identifies scope of impact of changes to ingestion mechanisms (e.g. beats/logstash), usage mechanisms (e.g. Kibana applications, detections), and the ECS project (e.g. docs, tooling)
  • Subject matter experts weighed in on technical utility of field definitions in the pull request

@peasead peasead added the RFC label May 5, 2021
@peasead peasead self-assigned this May 5, 2021
@ebeahan
Copy link
Member

ebeahan commented May 13, 2021

Noted from reviewing the field definitions added in the last stage, do we want to keep threat.software.platforms plural? Based on the example, the field is expecting a single value:

https://github.com/elastic/ecs/blob/master/experimental/schemas/threat.yml#L216

@peasead
Copy link
Contributor Author

peasead commented May 17, 2021

Noted from reviewing the field definitions added in the last stage, do we want to keep threat.software.platforms plural? Based on the example, the field is expecting a single value:

https://github.com/elastic/ecs/blob/master/experimental/schemas/threat.yml#L216

Thanks Eric.

Yes, platforms should be plural. I made the changes in the descriptions to be plural.

ebeahan
ebeahan reviewed May 18, 2021
View reviewed changes
Copy link
Member

@ebeahan ebeahan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adjusting platforms. 👍

I added a note about the using expected values for software.platforms, but I also think the same question around enumerating an expected value list for software.type.

ebeahan
ebeahan approved these changes May 24, 2021
View reviewed changes
Copy link
Member

@ebeahan ebeahan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@devonakerr as the sponsor, would you also review?

@devonakerr
Copy link

Yessir.

devonakerr
devonakerr approved these changes May 24, 2021
View reviewed changes
Copy link

@devonakerr devonakerr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Andy, I appreciate the attention to detail.

@peasead peasead merged commit 10a8f4d into elastic:master May 25, 2021
@peasead peasead deleted the extend-threat-stage-2 branch May 25, 2021 15:34
@ebeahan ebeahan mentioned this pull request May 25, 2021
Merged
@ebeahan
Copy link
Member

ebeahan commented May 25, 2021

Opened #1429 to set the correct advancement date on the RFC.

@ebeahan ebeahan mentioned this pull request May 26, 2021
Merged
rylnd added a commit to rylnd/ecs that referenced this pull request May 28, 2021
@rylnd
Merge branch 'master' into threat-enrichment-stage-1
caa8983 
* master:
  Stage 2 changes for RFC 0018 - extending the `threat.*` field set (elastic#1438)
  Remove deprecated `host.user.*` fields (elastic#1439)
  Explicitly include user identifiers in `related.user` field description (elastic#1420)
  Set the merge date on RFC 0018 stage 2 (elastic#1429)
  [RFC] Extend Threat Fieldset - Stage 2 Proposal (elastic#1395)
  [Tooling] Add --exclude flag to Generator to support field removal testing (elastic#1411)
  Add `host.user.*` deprecation notice in field reuse description (elastic#1422)
  Stage 2 changes for RFC 0015 - `elf` header (elastic#1410)
  Stage 3 changes for RFC 0012 - `orchestrator` field set (elastic#1417)
  Support `match_only_text` in Go code generator (elastic#1418)
  Stage 3 Orchestrator RFC (elastic#1343)
  moving into folder (elastic#1416)
  removing use-cases (elastic#1405)
  removing --oss (elastic#1404)
  Set the merge date on RFC 0015 stage 2 (elastic#1409)
  Consolidate `Breaking changes` sections in `CHANGELOG.next` (elastic#1408)
  RFC-Stage-0: Proposal to add a "ticket" schema / field definition to ECS (elastic#1383)
  [RFC] `match_only_text` type migration - Stage 0 (elastic#1396)
  Client port is wrongly documented (elastic#1402) (elastic#1406)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebeahan ebeahan ebeahan approved these changes

@devonakerr devonakerr devonakerr approved these changes

@shimonmodi shimonmodi Awaiting requested review from shimonmodi

Assignees

@peasead peasead

Labels
RFC
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@peasead @ebeahan @devonakerr