From e1eae101c3bd6be3ed402f9151997b4b99cd3207 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 28 Oct 2020 09:52:55 +0100 Subject: [PATCH 1/4] Update cisco nexus and meraki fields / docs / config --- .../meraki/agent/stream/stream.yml.hbs | 2 + .../meraki/agent/stream/tcp.yml.hbs | 2 + .../meraki/agent/stream/udp.yml.hbs | 2 + .../data_stream/meraki/fields/base-fields.yml | 12 +- .../cisco/data_stream/meraki/fields/ecs.yml | 137 ++++++++++++------ .../nexus/agent/stream/stream.yml.hbs | 4 +- .../nexus/agent/stream/tcp.yml.hbs | 4 +- .../nexus/agent/stream/udp.yml.hbs | 4 +- .../data_stream/nexus/fields/base-fields.yml | 12 +- .../cisco/data_stream/nexus/fields/ecs.yml | 137 +++++++++++++----- packages/cisco/docs/README.md | 57 +++++--- packages/cisco/manifest.yml | 2 +- 12 files changed, 251 insertions(+), 124 deletions(-) diff --git a/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs index 9c8f264d199..15c0172e85f 100644 --- a/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs +++ b/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs @@ -13,7 +13,9 @@ fields: vendor: "Cisco" product: "Meraki" type: "Wireless" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: diff --git a/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs index 4aa3b4396a1..3fe133ef0b1 100644 --- a/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs +++ b/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Cisco" product: "Meraki" type: "Wireless" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: diff --git a/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs index 70325c23fb8..7568cc151a5 100644 --- a/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs +++ b/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Cisco" product: "Meraki" type: "Wireless" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: diff --git a/packages/cisco/data_stream/meraki/fields/base-fields.yml b/packages/cisco/data_stream/meraki/fields/base-fields.yml index 384c977f001..7c798f4534c 100644 --- a/packages/cisco/data_stream/meraki/fields/base-fields.yml +++ b/packages/cisco/data_stream/meraki/fields/base-fields.yml @@ -1,14 +1,12 @@ - name: data_stream.type type: constant_keyword - description: Datastream type. + description: Data stream type. - name: data_stream.dataset type: constant_keyword - description: Datastream dataset. + description: Data stream dataset. - name: data_stream.namespace type: constant_keyword - description: Datastream namespace. -- name: "@timestamp" + description: Data stream namespace. +- name: '@timestamp' type: date - description: > - Event timestamp. - + description: Event timestamp. diff --git a/packages/cisco/data_stream/meraki/fields/ecs.yml b/packages/cisco/data_stream/meraki/fields/ecs.yml index 37a6e8de963..52364693993 100644 --- a/packages/cisco/data_stream/meraki/fields/ecs.yml +++ b/packages/cisco/data_stream/meraki/fields/ecs.yml @@ -11,6 +11,7 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: level level: core type: keyword @@ -86,16 +87,13 @@ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - - name: category - level: core + - name: timezone + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise. - This field is an array. This will allow proper categorization of some events that fall in multiple categories.' - example: authentication + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - name: ingested level: core type: date @@ -104,13 +102,8 @@ This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' - - name: timezone - level: extended - type: keyword - ignore_above: 1024 - description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + example: '2016-05-23T08:05:35.101Z' + default_field: false - name: '@timestamp' level: core required: true @@ -123,6 +116,15 @@ Required field for all events.' example: '2016-05-23T08:05:34.853Z' +- name: related + type: group + fields: + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. + default_field: false - name: user type: group fields: @@ -159,7 +161,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: message level: core type: text @@ -175,9 +177,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: port level: core type: long @@ -244,6 +244,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: host type: group fields: @@ -276,9 +298,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: port level: core type: long @@ -345,6 +365,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: network type: group fields: @@ -531,7 +573,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk @@ -541,10 +583,10 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: service type: group fields: @@ -566,6 +608,19 @@ type: keyword ignore_above: 1024 description: Server domain. +- name: group + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. - name: process type: group fields: @@ -660,23 +715,6 @@ - name: http type: group fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: content - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The full HTTP response body. - example: Hello world - name: request type: group fields: @@ -692,8 +730,12 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: geo type: group fields: @@ -747,10 +789,17 @@ description: 'The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME +- name: error + type: group + fields: + - name: message + level: core + type: text + description: Error message. diff --git a/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs index e414022d355..a66fad05d81 100644 --- a/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs +++ b/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs @@ -13,7 +13,9 @@ fields: vendor: "Cisco" product: "Nexus" type: "Switches" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -6967,4 +6969,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs index 48d57de5502..7fa92c57ca9 100644 --- a/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs +++ b/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Cisco" product: "Nexus" type: "Switches" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -6964,4 +6966,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs index 0585a2a4b19..bea5b21e8aa 100644 --- a/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs +++ b/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Cisco" product: "Nexus" type: "Switches" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -6964,4 +6966,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/cisco/data_stream/nexus/fields/base-fields.yml b/packages/cisco/data_stream/nexus/fields/base-fields.yml index 384c977f001..7c798f4534c 100644 --- a/packages/cisco/data_stream/nexus/fields/base-fields.yml +++ b/packages/cisco/data_stream/nexus/fields/base-fields.yml @@ -1,14 +1,12 @@ - name: data_stream.type type: constant_keyword - description: Datastream type. + description: Data stream type. - name: data_stream.dataset type: constant_keyword - description: Datastream dataset. + description: Data stream dataset. - name: data_stream.namespace type: constant_keyword - description: Datastream namespace. -- name: "@timestamp" + description: Data stream namespace. +- name: '@timestamp' type: date - description: > - Event timestamp. - + description: Event timestamp. diff --git a/packages/cisco/data_stream/nexus/fields/ecs.yml b/packages/cisco/data_stream/nexus/fields/ecs.yml index f608a0720d0..52364693993 100644 --- a/packages/cisco/data_stream/nexus/fields/ecs.yml +++ b/packages/cisco/data_stream/nexus/fields/ecs.yml @@ -11,6 +11,7 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: level level: core type: keyword @@ -86,16 +87,6 @@ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - - name: category - level: core - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that fall in multiple categories.' - example: authentication - name: timezone level: extended type: keyword @@ -103,6 +94,16 @@ description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + - name: ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false - name: '@timestamp' level: core required: true @@ -115,6 +116,15 @@ Required field for all events.' example: '2016-05-23T08:05:34.853Z' +- name: related + type: group + fields: + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. + default_field: false - name: user type: group fields: @@ -151,7 +161,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: message level: core type: text @@ -167,9 +177,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: port level: core type: long @@ -236,6 +244,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: host type: group fields: @@ -268,9 +298,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: port level: core type: long @@ -337,6 +365,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: network type: group fields: @@ -523,7 +573,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk @@ -533,10 +583,10 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: service type: group fields: @@ -558,6 +608,19 @@ type: keyword ignore_above: 1024 description: Server domain. +- name: group + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. - name: process type: group fields: @@ -652,23 +715,6 @@ - name: http type: group fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: content - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The full HTTP response body. - example: Hello world - name: request type: group fields: @@ -684,8 +730,12 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: geo type: group fields: @@ -739,10 +789,17 @@ description: 'The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME +- name: error + type: group + fields: + - name: message + level: core + type: text + description: Error message. diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index 24ade472c4c..c303589cd58 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -139,17 +139,19 @@ The `nexus` dataset collects Cisco Nexus logs. | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| data_stream.dataset | Datastream dataset. | constant_keyword | -| data_stream.namespace | Datastream namespace. | constant_keyword | -| data_stream.type | Datastream type. | constant_keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | Destination domain. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location.lat | | double | | destination.geo.location.lon | | double | -| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | @@ -157,9 +159,10 @@ The `nexus` dataset collects Cisco Nexus logs. | dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | | dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | | file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | @@ -173,13 +176,14 @@ The `nexus` dataset collects Cisco Nexus logs. | geo.country_name | Country name. | keyword | | geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.content | The full HTTP response body. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | @@ -203,6 +207,7 @@ The `nexus` dataset collects Cisco Nexus logs. | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.user | All the user names seen on your event. | keyword | | rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | | rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | | rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | @@ -879,13 +884,15 @@ The `nexus` dataset collects Cisco Nexus logs. | server.domain | Server domain. | keyword | | service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | Source domain. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location.lat | | double | | source.geo.location.lon | | double | -| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.mac | MAC address of the source. | keyword | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | @@ -894,11 +901,11 @@ The `nexus` dataset collects Cisco Nexus logs. | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | | url.path | Path of the request, such as "/search". | keyword | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | -| user.id | Unique identifiers of the user. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | @@ -912,17 +919,19 @@ The `meraki` dataset collects Cisco Meraki logs. | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| data_stream.dataset | Datastream dataset. | constant_keyword | -| data_stream.namespace | Datastream namespace. | constant_keyword | -| data_stream.type | Datastream type. | constant_keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | Destination domain. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location.lat | | double | | destination.geo.location.lon | | double | -| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | @@ -930,8 +939,8 @@ The `meraki` dataset collects Cisco Meraki logs. | dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | | dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | @@ -947,13 +956,14 @@ The `meraki` dataset collects Cisco Meraki logs. | geo.country_name | Country name. | keyword | | geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.content | The full HTTP response body. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | @@ -977,6 +987,7 @@ The `meraki` dataset collects Cisco Meraki logs. | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.user | All the user names seen on your event. | keyword | | rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | | rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | | rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | @@ -1653,13 +1664,15 @@ The `meraki` dataset collects Cisco Meraki logs. | server.domain | Server domain. | keyword | | service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | Source domain. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location.lat | | double | | source.geo.location.lon | | double | -| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.mac | MAC address of the source. | keyword | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | @@ -1668,11 +1681,11 @@ The `meraki` dataset collects Cisco Meraki logs. | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | | url.path | Path of the request, such as "/search". | keyword | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | -| user.id | Unique identifiers of the user. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | diff --git a/packages/cisco/manifest.yml b/packages/cisco/manifest.yml index d950316ec3c..e77d9ed4c84 100644 --- a/packages/cisco/manifest.yml +++ b/packages/cisco/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco title: Cisco -version: 0.6.1 +version: 0.7.0 license: basic description: Cisco Integration type: integration From 60f198bd725eb509f7902854876e37f2fad721ce Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 28 Oct 2020 10:20:09 +0100 Subject: [PATCH 2/4] Update fortinet fields / docs / config --- .../clientendpoint/agent/stream/log.yml.hbs | 4 +- .../clientendpoint/agent/stream/tcp.yml.hbs | 4 +- .../clientendpoint/agent/stream/udp.yml.hbs | 4 +- .../data_stream/clientendpoint/fields/ecs.yml | 139 +++++++++++------ .../fortimail/agent/stream/log.yml.hbs | 4 +- .../fortimail/agent/stream/tcp.yml.hbs | 4 +- .../fortimail/agent/stream/udp.yml.hbs | 4 +- .../fortimail/fields/base-fields.yml | 12 +- .../data_stream/fortimail/fields/ecs.yml | 140 ++++++++++++------ .../fortimanager/agent/stream/log.yml.hbs | 4 +- .../fortimanager/agent/stream/tcp.yml.hbs | 4 +- .../fortimanager/agent/stream/udp.yml.hbs | 4 +- .../fortimanager/fields/base-fields.yml | 12 +- .../data_stream/fortimanager/fields/ecs.yml | 140 ++++++++++++------ packages/fortinet/docs/README.md | 91 +++++++----- packages/fortinet/manifest.yml | 2 +- 16 files changed, 381 insertions(+), 191 deletions(-) diff --git a/packages/fortinet/data_stream/clientendpoint/agent/stream/log.yml.hbs b/packages/fortinet/data_stream/clientendpoint/agent/stream/log.yml.hbs index dd5e7f72d38..7edaef03738 100644 --- a/packages/fortinet/data_stream/clientendpoint/agent/stream/log.yml.hbs +++ b/packages/fortinet/data_stream/clientendpoint/agent/stream/log.yml.hbs @@ -13,7 +13,9 @@ fields: vendor: "Fortinet" product: "FortiClient" type: "Anti-Virus" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -2556,4 +2558,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 \ No newline at end of file + ecs.version: 1.6.0 diff --git a/packages/fortinet/data_stream/clientendpoint/agent/stream/tcp.yml.hbs b/packages/fortinet/data_stream/clientendpoint/agent/stream/tcp.yml.hbs index 52930aa140f..3f6ed0591f6 100644 --- a/packages/fortinet/data_stream/clientendpoint/agent/stream/tcp.yml.hbs +++ b/packages/fortinet/data_stream/clientendpoint/agent/stream/tcp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Fortinet" product: "FortiClient" type: "Anti-Virus" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -2553,4 +2555,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/fortinet/data_stream/clientendpoint/agent/stream/udp.yml.hbs b/packages/fortinet/data_stream/clientendpoint/agent/stream/udp.yml.hbs index d58df2592f5..32fb63ce690 100644 --- a/packages/fortinet/data_stream/clientendpoint/agent/stream/udp.yml.hbs +++ b/packages/fortinet/data_stream/clientendpoint/agent/stream/udp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Fortinet" product: "FortiClient" type: "Anti-Virus" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -2553,4 +2555,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/fortinet/data_stream/clientendpoint/fields/ecs.yml b/packages/fortinet/data_stream/clientendpoint/fields/ecs.yml index 693332ab005..52364693993 100644 --- a/packages/fortinet/data_stream/clientendpoint/fields/ecs.yml +++ b/packages/fortinet/data_stream/clientendpoint/fields/ecs.yml @@ -11,6 +11,7 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: level level: core type: keyword @@ -86,16 +87,6 @@ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - - name: category - level: core - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that fall in multiple categories.' - example: authentication - name: timezone level: extended type: keyword @@ -104,8 +95,15 @@ Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - name: ingested + level: core type: date - description: Timestamp when an event arrived in the central data store. + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false - name: '@timestamp' level: core required: true @@ -118,6 +116,15 @@ Required field for all events.' example: '2016-05-23T08:05:34.853Z' +- name: related + type: group + fields: + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. + default_field: false - name: user type: group fields: @@ -154,7 +161,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: message level: core type: text @@ -170,9 +177,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: port level: core type: long @@ -239,6 +244,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: host type: group fields: @@ -271,9 +298,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: port level: core type: long @@ -340,6 +365,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: network type: group fields: @@ -526,7 +573,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk @@ -536,10 +583,10 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: service type: group fields: @@ -561,6 +608,19 @@ type: keyword ignore_above: 1024 description: Server domain. +- name: group + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. - name: process type: group fields: @@ -655,23 +715,6 @@ - name: http type: group fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: content - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The full HTTP response body. - example: Hello world - name: request type: group fields: @@ -687,8 +730,12 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: geo type: group fields: @@ -742,13 +789,17 @@ description: 'The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME -- name: related.hosts - type: keyword - description: All the host identifiers seen on your event. +- name: error + type: group + fields: + - name: message + level: core + type: text + description: Error message. diff --git a/packages/fortinet/data_stream/fortimail/agent/stream/log.yml.hbs b/packages/fortinet/data_stream/fortimail/agent/stream/log.yml.hbs index 8d79a97a85a..c7c44175ade 100644 --- a/packages/fortinet/data_stream/fortimail/agent/stream/log.yml.hbs +++ b/packages/fortinet/data_stream/fortimail/agent/stream/log.yml.hbs @@ -13,7 +13,9 @@ fields: vendor: "Fortinet" product: "FortiMail" type: "Firewall" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -4248,4 +4250,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 \ No newline at end of file + ecs.version: 1.6.0 diff --git a/packages/fortinet/data_stream/fortimail/agent/stream/tcp.yml.hbs b/packages/fortinet/data_stream/fortimail/agent/stream/tcp.yml.hbs index d4f74b27255..6abff503f62 100644 --- a/packages/fortinet/data_stream/fortimail/agent/stream/tcp.yml.hbs +++ b/packages/fortinet/data_stream/fortimail/agent/stream/tcp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Fortinet" product: "FortiMail" type: "Firewall" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -4245,4 +4247,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/fortinet/data_stream/fortimail/agent/stream/udp.yml.hbs b/packages/fortinet/data_stream/fortimail/agent/stream/udp.yml.hbs index 337fe16c79d..f5f581542c2 100644 --- a/packages/fortinet/data_stream/fortimail/agent/stream/udp.yml.hbs +++ b/packages/fortinet/data_stream/fortimail/agent/stream/udp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Fortinet" product: "FortiMail" type: "Firewall" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -4245,4 +4247,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/fortinet/data_stream/fortimail/fields/base-fields.yml b/packages/fortinet/data_stream/fortimail/fields/base-fields.yml index 384c977f001..7c798f4534c 100644 --- a/packages/fortinet/data_stream/fortimail/fields/base-fields.yml +++ b/packages/fortinet/data_stream/fortimail/fields/base-fields.yml @@ -1,14 +1,12 @@ - name: data_stream.type type: constant_keyword - description: Datastream type. + description: Data stream type. - name: data_stream.dataset type: constant_keyword - description: Datastream dataset. + description: Data stream dataset. - name: data_stream.namespace type: constant_keyword - description: Datastream namespace. -- name: "@timestamp" + description: Data stream namespace. +- name: '@timestamp' type: date - description: > - Event timestamp. - + description: Event timestamp. diff --git a/packages/fortinet/data_stream/fortimail/fields/ecs.yml b/packages/fortinet/data_stream/fortimail/fields/ecs.yml index e35dfd145f8..52364693993 100644 --- a/packages/fortinet/data_stream/fortimail/fields/ecs.yml +++ b/packages/fortinet/data_stream/fortimail/fields/ecs.yml @@ -11,6 +11,7 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: level level: core type: keyword @@ -86,16 +87,6 @@ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - - name: category - level: core - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that fall in multiple categories.' - example: authentication - name: timezone level: extended type: keyword @@ -103,6 +94,16 @@ description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + - name: ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false - name: '@timestamp' level: core required: true @@ -115,6 +116,15 @@ Required field for all events.' example: '2016-05-23T08:05:34.853Z' +- name: related + type: group + fields: + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. + default_field: false - name: user type: group fields: @@ -151,7 +161,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: message level: core type: text @@ -167,9 +177,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: port level: core type: long @@ -236,6 +244,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: host type: group fields: @@ -268,9 +298,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: port level: core type: long @@ -337,6 +365,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: network type: group fields: @@ -523,7 +573,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk @@ -533,10 +583,10 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: service type: group fields: @@ -558,6 +608,19 @@ type: keyword ignore_above: 1024 description: Server domain. +- name: group + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. - name: process type: group fields: @@ -652,23 +715,6 @@ - name: http type: group fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: content - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The full HTTP response body. - example: Hello world - name: request type: group fields: @@ -684,8 +730,12 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: geo type: group fields: @@ -739,13 +789,17 @@ description: 'The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME -- name: related.hosts - type: keyword - description: All the host identifiers seen on your event. +- name: error + type: group + fields: + - name: message + level: core + type: text + description: Error message. diff --git a/packages/fortinet/data_stream/fortimanager/agent/stream/log.yml.hbs b/packages/fortinet/data_stream/fortimanager/agent/stream/log.yml.hbs index 669773636ad..f68faba7dd1 100644 --- a/packages/fortinet/data_stream/fortimanager/agent/stream/log.yml.hbs +++ b/packages/fortinet/data_stream/fortimanager/agent/stream/log.yml.hbs @@ -13,7 +13,9 @@ fields: vendor: "Fortinet" product: "FortiManager" type: "Configuration" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -3048,4 +3050,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 \ No newline at end of file + ecs.version: 1.6.0 diff --git a/packages/fortinet/data_stream/fortimanager/agent/stream/tcp.yml.hbs b/packages/fortinet/data_stream/fortimanager/agent/stream/tcp.yml.hbs index 589f23c887a..630fe1efa7a 100644 --- a/packages/fortinet/data_stream/fortimanager/agent/stream/tcp.yml.hbs +++ b/packages/fortinet/data_stream/fortimanager/agent/stream/tcp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Fortinet" product: "FortiManager" type: "Configuration" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -3045,4 +3047,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/fortinet/data_stream/fortimanager/agent/stream/udp.yml.hbs b/packages/fortinet/data_stream/fortimanager/agent/stream/udp.yml.hbs index 29e3d875248..ced2bac3fdd 100644 --- a/packages/fortinet/data_stream/fortimanager/agent/stream/udp.yml.hbs +++ b/packages/fortinet/data_stream/fortimanager/agent/stream/udp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Fortinet" product: "FortiManager" type: "Configuration" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -3045,4 +3047,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml b/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml index 384c977f001..7c798f4534c 100644 --- a/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml +++ b/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml @@ -1,14 +1,12 @@ - name: data_stream.type type: constant_keyword - description: Datastream type. + description: Data stream type. - name: data_stream.dataset type: constant_keyword - description: Datastream dataset. + description: Data stream dataset. - name: data_stream.namespace type: constant_keyword - description: Datastream namespace. -- name: "@timestamp" + description: Data stream namespace. +- name: '@timestamp' type: date - description: > - Event timestamp. - + description: Event timestamp. diff --git a/packages/fortinet/data_stream/fortimanager/fields/ecs.yml b/packages/fortinet/data_stream/fortimanager/fields/ecs.yml index e35dfd145f8..52364693993 100644 --- a/packages/fortinet/data_stream/fortimanager/fields/ecs.yml +++ b/packages/fortinet/data_stream/fortimanager/fields/ecs.yml @@ -11,6 +11,7 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: level level: core type: keyword @@ -86,16 +87,6 @@ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - - name: category - level: core - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that fall in multiple categories.' - example: authentication - name: timezone level: extended type: keyword @@ -103,6 +94,16 @@ description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + - name: ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false - name: '@timestamp' level: core required: true @@ -115,6 +116,15 @@ Required field for all events.' example: '2016-05-23T08:05:34.853Z' +- name: related + type: group + fields: + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. + default_field: false - name: user type: group fields: @@ -151,7 +161,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: message level: core type: text @@ -167,9 +177,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: port level: core type: long @@ -236,6 +244,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: host type: group fields: @@ -268,9 +298,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: port level: core type: long @@ -337,6 +365,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: network type: group fields: @@ -523,7 +573,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk @@ -533,10 +583,10 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: service type: group fields: @@ -558,6 +608,19 @@ type: keyword ignore_above: 1024 description: Server domain. +- name: group + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. - name: process type: group fields: @@ -652,23 +715,6 @@ - name: http type: group fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: content - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The full HTTP response body. - example: Hello world - name: request type: group fields: @@ -684,8 +730,12 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: geo type: group fields: @@ -739,13 +789,17 @@ description: 'The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME -- name: related.hosts - type: keyword - description: All the host identifiers seen on your event. +- name: error + type: group + fields: + - name: message + level: core + type: text + description: Error message. diff --git a/packages/fortinet/docs/README.md b/packages/fortinet/docs/README.md index 8e87eed7362..8e14db6e542 100644 --- a/packages/fortinet/docs/README.md +++ b/packages/fortinet/docs/README.md @@ -569,18 +569,20 @@ The `clientendpoint` dataset collects Fortinet FortiClient Endpoint Security log | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | Destination domain. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location.lat | | double | | destination.geo.location.lon | | double | -| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | @@ -588,10 +590,10 @@ The `clientendpoint` dataset collects Fortinet FortiClient Endpoint Security log | dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | | dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | | file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | @@ -605,13 +607,14 @@ The `clientendpoint` dataset collects Fortinet FortiClient Endpoint Security log | geo.country_name | Country name. | keyword | | geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.content | The full HTTP response body. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | @@ -635,7 +638,7 @@ The `clientendpoint` dataset collects Fortinet FortiClient Endpoint Security log | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| related.hosts | All the host identifiers seen on your event. | keyword | +| related.user | All the user names seen on your event. | keyword | | rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | | rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | | rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | @@ -1312,13 +1315,15 @@ The `clientendpoint` dataset collects Fortinet FortiClient Endpoint Security log | server.domain | Server domain. | keyword | | service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | Source domain. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location.lat | | double | | source.geo.location.lon | | double | -| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.mac | MAC address of the source. | keyword | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | @@ -1327,11 +1332,11 @@ The `clientendpoint` dataset collects Fortinet FortiClient Endpoint Security log | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | | url.path | Path of the request, such as "/search". | keyword | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | -| user.id | Unique identifiers of the user. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | @@ -1344,18 +1349,20 @@ The `fortimail` dataset collects Fortinet FortiMail logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Datastream dataset. | constant_keyword | -| data_stream.namespace | Datastream namespace. | constant_keyword | -| data_stream.type | Datastream type. | constant_keyword | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | Destination domain. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location.lat | | double | | destination.geo.location.lon | | double | -| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | @@ -1363,9 +1370,10 @@ The `fortimail` dataset collects Fortinet FortiMail logs. | dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | | dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | | file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | @@ -1379,13 +1387,14 @@ The `fortimail` dataset collects Fortinet FortiMail logs. | geo.country_name | Country name. | keyword | | geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.content | The full HTTP response body. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | @@ -1409,7 +1418,7 @@ The `fortimail` dataset collects Fortinet FortiMail logs. | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| related.hosts | All the host identifiers seen on your event. | keyword | +| related.user | All the user names seen on your event. | keyword | | rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | | rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | | rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | @@ -2086,13 +2095,15 @@ The `fortimail` dataset collects Fortinet FortiMail logs. | server.domain | Server domain. | keyword | | service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | Source domain. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location.lat | | double | | source.geo.location.lon | | double | -| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.mac | MAC address of the source. | keyword | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | @@ -2101,11 +2112,11 @@ The `fortimail` dataset collects Fortinet FortiMail logs. | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | | url.path | Path of the request, such as "/search". | keyword | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | -| user.id | Unique identifiers of the user. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | @@ -2118,18 +2129,20 @@ The `fortimanager` dataset collects Fortinet Manager/Analyzer logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Datastream dataset. | constant_keyword | -| data_stream.namespace | Datastream namespace. | constant_keyword | -| data_stream.type | Datastream type. | constant_keyword | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | Destination domain. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location.lat | | double | | destination.geo.location.lon | | double | -| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | @@ -2137,9 +2150,10 @@ The `fortimanager` dataset collects Fortinet Manager/Analyzer logs. | dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | | dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | | file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | @@ -2153,13 +2167,14 @@ The `fortimanager` dataset collects Fortinet Manager/Analyzer logs. | geo.country_name | Country name. | keyword | | geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.content | The full HTTP response body. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | @@ -2183,7 +2198,7 @@ The `fortimanager` dataset collects Fortinet Manager/Analyzer logs. | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| related.hosts | All the host identifiers seen on your event. | keyword | +| related.user | All the user names seen on your event. | keyword | | rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | | rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | | rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | @@ -2860,13 +2875,15 @@ The `fortimanager` dataset collects Fortinet Manager/Analyzer logs. | server.domain | Server domain. | keyword | | service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | Source domain. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location.lat | | double | | source.geo.location.lon | | double | -| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.mac | MAC address of the source. | keyword | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | @@ -2875,11 +2892,11 @@ The `fortimanager` dataset collects Fortinet Manager/Analyzer logs. | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | | url.path | Path of the request, such as "/search". | keyword | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | -| user.id | Unique identifiers of the user. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | diff --git a/packages/fortinet/manifest.yml b/packages/fortinet/manifest.yml index b01dfdd3a1c..501dc2b8fbd 100644 --- a/packages/fortinet/manifest.yml +++ b/packages/fortinet/manifest.yml @@ -1,6 +1,6 @@ name: fortinet title: Fortinet -version: 0.4.0 +version: 0.5.0 release: experimental description: Fortinet Integration type: integration From f82293e38724f589e0de586bbb322bd15b0039fe Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 28 Oct 2020 10:32:21 +0100 Subject: [PATCH 3/4] Update juniper fields / docs / config --- .../junos/agent/stream/stream.yml.hbs | 2 +- .../junos/agent/stream/tcp.yml.hbs | 2 +- .../junos/agent/stream/udp.yml.hbs | 2 +- .../data_stream/junos/fields/base-fields.yml | 9 +- .../juniper/data_stream/junos/fields/ecs.yml | 137 +++++++++++++----- .../netscreen/agent/stream/stream.yml.hbs | 2 +- .../netscreen/agent/stream/tcp.yml.hbs | 2 +- .../netscreen/agent/stream/udp.yml.hbs | 2 +- .../netscreen/fields/base-fields.yml | 12 +- .../data_stream/netscreen/fields/ecs.yml | 137 +++++++++++++----- packages/juniper/docs/README.md | 29 ++-- packages/juniper/manifest.yml | 2 +- 12 files changed, 230 insertions(+), 108 deletions(-) diff --git a/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs index 76107a77293..b86a245795d 100644 --- a/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs @@ -12348,4 +12348,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs index d454e289f21..d51096f97f0 100644 --- a/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs @@ -12344,4 +12344,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs index 4a5a8086730..788daaa1c54 100644 --- a/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs @@ -12344,4 +12344,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/juniper/data_stream/junos/fields/base-fields.yml b/packages/juniper/data_stream/junos/fields/base-fields.yml index ee37956123d..7c798f4534c 100644 --- a/packages/juniper/data_stream/junos/fields/base-fields.yml +++ b/packages/juniper/data_stream/junos/fields/base-fields.yml @@ -1,9 +1,12 @@ - name: data_stream.type type: constant_keyword - description: Datastream type. + description: Data stream type. - name: data_stream.dataset type: constant_keyword - description: Datastream dataset. + description: Data stream dataset. - name: data_stream.namespace type: constant_keyword - description: Datastream namespace. + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/juniper/data_stream/junos/fields/ecs.yml b/packages/juniper/data_stream/junos/fields/ecs.yml index f608a0720d0..52364693993 100644 --- a/packages/juniper/data_stream/junos/fields/ecs.yml +++ b/packages/juniper/data_stream/junos/fields/ecs.yml @@ -11,6 +11,7 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: level level: core type: keyword @@ -86,16 +87,6 @@ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - - name: category - level: core - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that fall in multiple categories.' - example: authentication - name: timezone level: extended type: keyword @@ -103,6 +94,16 @@ description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + - name: ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false - name: '@timestamp' level: core required: true @@ -115,6 +116,15 @@ Required field for all events.' example: '2016-05-23T08:05:34.853Z' +- name: related + type: group + fields: + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. + default_field: false - name: user type: group fields: @@ -151,7 +161,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: message level: core type: text @@ -167,9 +177,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: port level: core type: long @@ -236,6 +244,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: host type: group fields: @@ -268,9 +298,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: port level: core type: long @@ -337,6 +365,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: network type: group fields: @@ -523,7 +573,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk @@ -533,10 +583,10 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: service type: group fields: @@ -558,6 +608,19 @@ type: keyword ignore_above: 1024 description: Server domain. +- name: group + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. - name: process type: group fields: @@ -652,23 +715,6 @@ - name: http type: group fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: content - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The full HTTP response body. - example: Hello world - name: request type: group fields: @@ -684,8 +730,12 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: geo type: group fields: @@ -739,10 +789,17 @@ description: 'The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME +- name: error + type: group + fields: + - name: message + level: core + type: text + description: Error message. diff --git a/packages/juniper/data_stream/netscreen/agent/stream/stream.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/stream.yml.hbs index 11454a71215..8f939de2a6f 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/stream.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/stream.yml.hbs @@ -26307,4 +26307,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs index 0fb03895389..4168bd57f4d 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs @@ -26305,4 +26305,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs index 616b59381ca..d95f9b0394f 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs @@ -26304,4 +26304,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/juniper/data_stream/netscreen/fields/base-fields.yml b/packages/juniper/data_stream/netscreen/fields/base-fields.yml index 384c977f001..7c798f4534c 100644 --- a/packages/juniper/data_stream/netscreen/fields/base-fields.yml +++ b/packages/juniper/data_stream/netscreen/fields/base-fields.yml @@ -1,14 +1,12 @@ - name: data_stream.type type: constant_keyword - description: Datastream type. + description: Data stream type. - name: data_stream.dataset type: constant_keyword - description: Datastream dataset. + description: Data stream dataset. - name: data_stream.namespace type: constant_keyword - description: Datastream namespace. -- name: "@timestamp" + description: Data stream namespace. +- name: '@timestamp' type: date - description: > - Event timestamp. - + description: Event timestamp. diff --git a/packages/juniper/data_stream/netscreen/fields/ecs.yml b/packages/juniper/data_stream/netscreen/fields/ecs.yml index f608a0720d0..52364693993 100644 --- a/packages/juniper/data_stream/netscreen/fields/ecs.yml +++ b/packages/juniper/data_stream/netscreen/fields/ecs.yml @@ -11,6 +11,7 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: level level: core type: keyword @@ -86,16 +87,6 @@ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - - name: category - level: core - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that fall in multiple categories.' - example: authentication - name: timezone level: extended type: keyword @@ -103,6 +94,16 @@ description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + - name: ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false - name: '@timestamp' level: core required: true @@ -115,6 +116,15 @@ Required field for all events.' example: '2016-05-23T08:05:34.853Z' +- name: related + type: group + fields: + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. + default_field: false - name: user type: group fields: @@ -151,7 +161,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: message level: core type: text @@ -167,9 +177,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: port level: core type: long @@ -236,6 +244,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: host type: group fields: @@ -268,9 +298,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: port level: core type: long @@ -337,6 +365,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: network type: group fields: @@ -523,7 +573,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk @@ -533,10 +583,10 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: service type: group fields: @@ -558,6 +608,19 @@ type: keyword ignore_above: 1024 description: Server domain. +- name: group + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. - name: process type: group fields: @@ -652,23 +715,6 @@ - name: http type: group fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: content - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The full HTTP response body. - example: Hello world - name: request type: group fields: @@ -684,8 +730,12 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: geo type: group fields: @@ -739,10 +789,17 @@ description: 'The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME +- name: error + type: group + fields: + - name: message + level: core + type: text + description: Error message. diff --git a/packages/juniper/docs/README.md b/packages/juniper/docs/README.md index 5a1c7e6af80..33217abb264 100644 --- a/packages/juniper/docs/README.md +++ b/packages/juniper/docs/README.md @@ -1648,17 +1648,19 @@ The `netscreen` dataset collects Netscreen logs. | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| data_stream.dataset | Datastream dataset. | constant_keyword | -| data_stream.namespace | Datastream namespace. | constant_keyword | -| data_stream.type | Datastream type. | constant_keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | Destination domain. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location.lat | | double | | destination.geo.location.lon | | double | -| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | @@ -1666,9 +1668,10 @@ The `netscreen` dataset collects Netscreen logs. | dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | | dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | | file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | @@ -1682,13 +1685,14 @@ The `netscreen` dataset collects Netscreen logs. | geo.country_name | Country name. | keyword | | geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.content | The full HTTP response body. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | @@ -1712,6 +1716,7 @@ The `netscreen` dataset collects Netscreen logs. | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.user | All the user names seen on your event. | keyword | | rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | | rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | | rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | @@ -2388,13 +2393,15 @@ The `netscreen` dataset collects Netscreen logs. | server.domain | Server domain. | keyword | | service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | Source domain. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location.lat | | double | | source.geo.location.lon | | double | -| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.mac | MAC address of the source. | keyword | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | @@ -2403,11 +2410,11 @@ The `netscreen` dataset collects Netscreen logs. | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | | url.path | Path of the request, such as "/search". | keyword | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | -| user.id | Unique identifiers of the user. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | diff --git a/packages/juniper/manifest.yml b/packages/juniper/manifest.yml index 1710a0f1453..0d6a1c723e4 100644 --- a/packages/juniper/manifest.yml +++ b/packages/juniper/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper title: Juniper -version: 0.3.0 +version: 0.4.0 description: Juniper Integration categories: ["network", "security"] release: experimental From ecec5f0b5706a3fba0e4f896b1899e503f10eef8 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 28 Oct 2020 10:35:29 +0100 Subject: [PATCH 4/4] Update microsoft fields / docs / config --- .../dhcp/agent/stream/stream.yml.hbs | 4 +- .../data_stream/dhcp/agent/stream/tcp.yml.hbs | 4 +- .../data_stream/dhcp/agent/stream/udp.yml.hbs | 4 +- .../data_stream/dhcp/fields/base-fields.yml | 12 +- .../microsoft/data_stream/dhcp/fields/ecs.yml | 137 +++++++++++++----- packages/microsoft/docs/README.md | 29 ++-- packages/microsoft/manifest.yml | 2 +- 7 files changed, 130 insertions(+), 62 deletions(-) diff --git a/packages/microsoft/data_stream/dhcp/agent/stream/stream.yml.hbs b/packages/microsoft/data_stream/dhcp/agent/stream/stream.yml.hbs index 1ac93b59184..744ce689790 100644 --- a/packages/microsoft/data_stream/dhcp/agent/stream/stream.yml.hbs +++ b/packages/microsoft/data_stream/dhcp/agent/stream/stream.yml.hbs @@ -13,7 +13,9 @@ fields: vendor: "Microsoft" product: "DHCP" type: "Application" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -3433,4 +3435,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/microsoft/data_stream/dhcp/agent/stream/tcp.yml.hbs b/packages/microsoft/data_stream/dhcp/agent/stream/tcp.yml.hbs index b8df208f4a6..f0d7acee9c9 100644 --- a/packages/microsoft/data_stream/dhcp/agent/stream/tcp.yml.hbs +++ b/packages/microsoft/data_stream/dhcp/agent/stream/tcp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Microsoft" product: "DHCP" type: "Application" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -3430,4 +3432,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/microsoft/data_stream/dhcp/agent/stream/udp.yml.hbs b/packages/microsoft/data_stream/dhcp/agent/stream/udp.yml.hbs index 3a4484e022c..173e4ebc0b4 100644 --- a/packages/microsoft/data_stream/dhcp/agent/stream/udp.yml.hbs +++ b/packages/microsoft/data_stream/dhcp/agent/stream/udp.yml.hbs @@ -10,7 +10,9 @@ fields: vendor: "Microsoft" product: "DHCP" type: "Application" +{{#contains tags "forwarded"}} publisher_pipeline.disable_host: true +{{/contains}} processors: - script: @@ -3430,4 +3432,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/packages/microsoft/data_stream/dhcp/fields/base-fields.yml b/packages/microsoft/data_stream/dhcp/fields/base-fields.yml index 384c977f001..7c798f4534c 100644 --- a/packages/microsoft/data_stream/dhcp/fields/base-fields.yml +++ b/packages/microsoft/data_stream/dhcp/fields/base-fields.yml @@ -1,14 +1,12 @@ - name: data_stream.type type: constant_keyword - description: Datastream type. + description: Data stream type. - name: data_stream.dataset type: constant_keyword - description: Datastream dataset. + description: Data stream dataset. - name: data_stream.namespace type: constant_keyword - description: Datastream namespace. -- name: "@timestamp" + description: Data stream namespace. +- name: '@timestamp' type: date - description: > - Event timestamp. - + description: Event timestamp. diff --git a/packages/microsoft/data_stream/dhcp/fields/ecs.yml b/packages/microsoft/data_stream/dhcp/fields/ecs.yml index f608a0720d0..52364693993 100644 --- a/packages/microsoft/data_stream/dhcp/fields/ecs.yml +++ b/packages/microsoft/data_stream/dhcp/fields/ecs.yml @@ -11,6 +11,7 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: level level: core type: keyword @@ -86,16 +87,6 @@ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - - name: category - level: core - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that fall in multiple categories.' - example: authentication - name: timezone level: extended type: keyword @@ -103,6 +94,16 @@ description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + - name: ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false - name: '@timestamp' level: core required: true @@ -115,6 +116,15 @@ Required field for all events.' example: '2016-05-23T08:05:34.853Z' +- name: related + type: group + fields: + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. + default_field: false - name: user type: group fields: @@ -151,7 +161,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: message level: core type: text @@ -167,9 +177,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: port level: core type: long @@ -236,6 +244,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: host type: group fields: @@ -268,9 +298,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: port level: core type: long @@ -337,6 +365,28 @@ ignore_above: 1024 description: City name. example: Montreal + - name: as + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC - name: network type: group fields: @@ -523,7 +573,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". + description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk @@ -533,10 +583,10 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: service type: group fields: @@ -558,6 +608,19 @@ type: keyword ignore_above: 1024 description: Server domain. +- name: group + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. - name: process type: group fields: @@ -652,23 +715,6 @@ - name: http type: group fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: content - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The full HTTP response body. - example: Hello world - name: request type: group fields: @@ -684,8 +730,12 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: geo type: group fields: @@ -739,10 +789,17 @@ description: 'The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME +- name: error + type: group + fields: + - name: message + level: core + type: text + description: Error message. diff --git a/packages/microsoft/docs/README.md b/packages/microsoft/docs/README.md index 948d8d165f6..b87a995fb13 100644 --- a/packages/microsoft/docs/README.md +++ b/packages/microsoft/docs/README.md @@ -16,17 +16,19 @@ The `dhcp` dataset collects Microsoft DHCP logs. | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| data_stream.dataset | Datastream dataset. | constant_keyword | -| data_stream.namespace | Datastream namespace. | constant_keyword | -| data_stream.type | Datastream type. | constant_keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | Destination domain. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location.lat | | double | | destination.geo.location.lon | | double | -| destination.ip | IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | @@ -34,9 +36,10 @@ The `dhcp` dataset collects Microsoft DHCP logs. | dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | | dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | | file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | @@ -50,13 +53,14 @@ The `dhcp` dataset collects Microsoft DHCP logs. | geo.country_name | Country name. | keyword | | geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.content | The full HTTP response body. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | @@ -80,6 +84,7 @@ The `dhcp` dataset collects Microsoft DHCP logs. | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.user | All the user names seen on your event. | keyword | | rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | | rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | | rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | @@ -756,13 +761,15 @@ The `dhcp` dataset collects Microsoft DHCP logs. | server.domain | Server domain. | keyword | | service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | Source domain. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location.lat | | double | | source.geo.location.lon | | double | -| source.ip | IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.mac | MAC address of the source. | keyword | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | @@ -771,11 +778,11 @@ The `dhcp` dataset collects Microsoft DHCP logs. | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | | url.path | Path of the request, such as "/search". | keyword | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | -| user.id | Unique identifiers of the user. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | diff --git a/packages/microsoft/manifest.yml b/packages/microsoft/manifest.yml index 720e969d618..48a286cce52 100644 --- a/packages/microsoft/manifest.yml +++ b/packages/microsoft/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: microsoft title: Microsoft -version: 0.2.0 +version: 0.3.0 description: Microsoft Integration categories: ["network"] release: experimental