From ec77b94688b00d18c1f6f4f04d695727adf1a126 Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Thu, 8 Jan 2026 12:23:35 +0200 Subject: [PATCH 1/6] Update host and entity schemas to enhance structure and relationships - Removed the reusable section from the host schema for clarity. - Added a new 'relationship' field to the entity schema to track varying attributes between entity types. - Updated the risk schema to include 'entity' as an expected type. These changes aim to improve the organization and functionality of the schemas for better data representation. --- schemas/entity.yml | 8 ++++++++ schemas/host.yml | 6 ------ schemas/risk.yml | 1 + 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/schemas/entity.yml b/schemas/entity.yml index de36529f16..e015614e8f 100644 --- a/schemas/entity.yml +++ b/schemas/entity.yml @@ -163,6 +163,14 @@ A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. beta: This field is beta and subject to change. + - name: relationship + level: extended + type: object + short: A set of relationship attributes that can vary between entity types. + description: > + The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + beta: This field is beta and subject to change. + - name: lifecycle level: extended type: object diff --git a/schemas/host.yml b/schemas/host.yml index 2d33b05b78..2782b569c7 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -25,12 +25,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. - reusable: - top_level: true - expected: - - at: host - as: target - short_override: Targeted host of action taken. type: group fields: - name: hostname diff --git a/schemas/risk.yml b/schemas/risk.yml index 8c54f392b5..3ebc2122a3 100644 --- a/schemas/risk.yml +++ b/schemas/risk.yml @@ -30,6 +30,7 @@ expected: - host - user + - entity type: group fields: - name: calculated_score From b55bc55e76910fd0b390b301060a6f6b3fa8457a Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Thu, 8 Jan 2026 12:23:42 +0200 Subject: [PATCH 2/6] Add entity.relationship field and enhance risk fields - Introduced the `entity.relationship` field to track relationship characteristics of entities for advanced searching and correlation. - Enhanced risk fields with new properties: `calculated_level`, `calculated_score`, `calculated_score_norm`, `static_level`, `static_score`, and `static_score_norm` to improve risk assessment capabilities. - Updated documentation to reflect these changes across relevant ECS reference files. --- docs/reference/ecs-entity.md | 2 + docs/reference/ecs-host.md | 9 - docs/reference/ecs-otel-alignment-overview.md | 2 +- docs/reference/ecs-risk.md | 1 + experimental/generated/beats/fields.ecs.yml | 892 ++++------ experimental/generated/csv/fields.csv | 85 +- experimental/generated/ecs/ecs_flat.yml | 1528 ++++++---------- experimental/generated/ecs/ecs_nested.yml | 1575 ++++++----------- .../composable/component/cloud.json | 9 + .../composable/component/entity.json | 54 + .../composable/component/host.json | 277 +-- .../composable/component/orchestrator.json | 3 + .../composable/component/service.json | 9 + .../composable/component/user.json | 12 + .../elasticsearch/legacy/template.json | 364 +--- generated/beats/fields.ecs.yml | 892 ++++------ generated/csv/fields.csv | 85 +- generated/ecs/ecs_flat.yml | 1528 ++++++---------- generated/ecs/ecs_nested.yml | 1575 ++++++----------- .../composable/component/cloud.json | 9 + .../composable/component/entity.json | 54 + .../composable/component/host.json | 277 +-- .../composable/component/orchestrator.json | 3 + .../composable/component/service.json | 9 + .../composable/component/user.json | 12 + generated/elasticsearch/legacy/template.json | 364 +--- 26 files changed, 3212 insertions(+), 6418 deletions(-) diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md index 951777bfdb..0205c0a8cb 100644 --- a/docs/reference/ecs-entity.md +++ b/docs/reference/ecs-entity.md @@ -25,6 +25,7 @@ The entity fields provide a standardized way to represent and categorize differe | $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.

type: keyword

Multi-fields:

* entity.name.text (type: match_only_text) | core | | $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.

type: object | extended | | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.

type: keyword | extended | +| $$$field-entity-relationship$$$ [entity.relationship](#field-entity-relationship) | _This field is beta and subject to change._ The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.

type: object | extended | | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).

type: keyword | core | | $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.

type: keyword

example: `aws_s3_bucket` | extended | | $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | @@ -47,4 +48,5 @@ Note also that the `entity` fields may be used directly at the root of the event | Location | Field Set | Description | | --- | --- | --- | +| `entity.risk.*` | [risk](/reference/ecs-risk.md) | Fields for describing risk score and level. | | `entity.target.*` | [entity](/reference/ecs-entity.md) | Targeted entity of action taken. | diff --git a/docs/reference/ecs-host.md b/docs/reference/ecs-host.md index 149973c386..51705caaf2 100644 --- a/docs/reference/ecs-host.md +++ b/docs/reference/ecs-host.md @@ -36,14 +36,6 @@ ECS host.* fields should be populated with details about the host on which the e | $$$field-host-type$$$ [host.type](#field-host-type) | Type of host.

For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.

type: keyword

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-type) | core | | $$$field-host-uptime$$$ [host.uptime](#field-host-uptime) | Seconds the host has been up.

type: long

example: `1325`

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.uptime+--%3E%22&type=code) | extended | -## Field reuse [_field_reuse] - -The `host` fields are expected to be nested at: - -* `host.target` - -Note also that the `host` fields may be used directly at the root of the events. - ### Field sets that can be nested under Host [ecs-host-nestings] @@ -53,4 +45,3 @@ Note also that the `host` fields may be used directly at the root of the events. | `host.geo.*` | [geo](/reference/ecs-geo.md) | Fields describing a location. | | `host.os.*` | [os](/reference/ecs-os.md) | OS fields contain information about the operating system. | | `host.risk.*` | [risk](/reference/ecs-risk.md) | Fields for describing risk score and level. | -| `host.target.*` | [host](/reference/ecs-host.md) | Targeted host of action taken. | diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md index 970ae81bf3..37f4346b3b 100644 --- a/docs/reference/ecs-otel-alignment-overview.md +++ b/docs/reference/ecs-otel-alignment-overview.md @@ -47,7 +47,7 @@ The following table summarizes the alignment status by namespaces between ECS in | ELF Header | [38](/reference/ecs-elf.md) | · | · | · | · | · | · | · | · | | Email | [19](/reference/ecs-email.md) | · | · | · | · | · | · | · | · | | End User | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/enduser) | · | · | · | · | · | · | | -| Entity | [13](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · | +| Entity | [14](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · | | Error | [5](/reference/ecs-error.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/error) | 1 | 2 | · | · | · | · | · | | Event | [26](/reference/ecs-event.md) | · | · | · | · | · | · | · | · | | Exception | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/exception) | · | · | · | · | · | · | | diff --git a/docs/reference/ecs-risk.md b/docs/reference/ecs-risk.md index fdd65ad541..1ba63bbf58 100644 --- a/docs/reference/ecs-risk.md +++ b/docs/reference/ecs-risk.md @@ -30,6 +30,7 @@ These fields are in beta and are subject to change. The `risk` fields are expected to be nested at: +* `entity.risk` * `host.risk` * `user.risk` diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 635bf839c6..f85636c3e6 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -600,6 +600,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: entity.source level: core type: keyword @@ -765,6 +773,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: origin.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: origin.entity.source level: core type: keyword @@ -1019,6 +1035,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: target.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: target.entity.source level: core type: keyword @@ -2537,6 +2561,60 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false + - name: risk.calculated_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + default_field: false + - name: risk.calculated_score + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + default_field: false + - name: risk.calculated_score_norm + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + default_field: false + - name: risk.static_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + default_field: false + - name: risk.static_score + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + default_field: false + - name: risk.static_score_norm + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + default_field: false - name: source level: core type: keyword @@ -2645,6 +2723,60 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: target.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false + - name: target.risk.calculated_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + default_field: false + - name: target.risk.calculated_score + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + default_field: false + - name: target.risk.calculated_score_norm + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + default_field: false + - name: target.risk.static_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + default_field: false + - name: target.risk.static_score + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + default_field: false + - name: target.risk.static_score_norm + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + default_field: false - name: target.source level: core type: keyword @@ -4282,525 +4414,100 @@ level: extended type: keyword ignore_above: 1024 - description: The name of the model that generated the response. - example: gpt-4-0613 - default_field: false - - name: system - level: extended - type: keyword - ignore_above: 1024 - description: The Generative AI product as identified by the client or server - instrumentation. - example: openai - default_field: false - - name: token.type - level: extended - type: keyword - ignore_above: 1024 - description: The type of token being counted. - example: input; output - default_field: false - - name: tool.call.id - level: extended - type: keyword - ignore_above: 1024 - description: The tool call identifier. - example: call_mszuSIzqtI65i1wAUOE8w5H4 - default_field: false - - name: tool.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the tool utilized by the agent. - example: Flights - default_field: false - - name: tool.type - level: extended - type: keyword - ignore_above: 1024 - description: Type of the tool utilized by the agent - example: function; extension; datastore - default_field: false - - name: usage.input_tokens - level: extended - type: integer - description: The number of tokens used in the GenAI input (prompt). - example: 100 - default_field: false - - name: usage.output_tokens - level: extended - type: integer - description: The number of tokens used in the GenAI response (completion). - example: 180 - default_field: false - - name: group - title: Group - group: 2 - description: The group fields are meant to represent groups that are relevant - to the event. - type: group - default_field: true - fields: - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - - name: id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the - event happened, or from which the measurement was taken. Host types include - hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - default_field: true - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: boot.id - level: extended - type: keyword - ignore_above: 1024 - description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note - the boot_id value from /proc may or may not be the same in containers as on - the host. Some container runtimes will bind mount a new boot_id value onto - the proc file in each container. - example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 - default_field: false - - name: cpu.usage - level: extended - type: scaled_float - description: 'Percent CPU used which is normalized by the number of CPU cores - and it ranges from 0 to 1. - - Scaling factor: 1000. - - For example: For a two core host, this value should be the average of the - two cores, between 0 and 1.' - scaling_factor: 1000 - default_field: false - - name: disk.read.bytes - level: extended - type: long - description: The total number of bytes (gauge) read successfully (aggregated - from all disks) since the last metric collection. - default_field: false - - name: disk.write.bytes - level: extended - type: long - description: The total number of bytes (gauge) written successfully (aggregated - from all disks) since the last metric collection. - default_field: false - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain - or NetBIOS domain name. For Linux this could be the domain of the host''s - LDAP provider.' - example: CONTOSO - default_field: false - - name: entity.attributes - level: extended - type: object - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - default_field: false - - name: entity.behavior - level: extended - type: object - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - default_field: false - - name: entity.display_name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: match_only_text - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - default_field: false - - name: entity.id - level: core - type: keyword - ignore_above: 1024 - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - default_field: false - - name: entity.last_seen_timestamp - level: extended - type: date - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - default_field: false - - name: entity.lifecycle - level: extended - type: object - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - default_field: false - - name: entity.metrics - level: extended - type: object - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - default_field: false - - name: entity.name - level: core - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: match_only_text - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - default_field: false - - name: entity.raw - level: extended - type: object - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - default_field: false - - name: entity.reference - level: extended - type: keyword - ignore_above: 1024 - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - default_field: false - - name: entity.source - level: core - type: keyword - ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). - default_field: false - - name: entity.sub_type - level: extended - type: keyword - ignore_above: 1024 - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - default_field: false - - name: entity.type - level: core - type: keyword - ignore_above: 1024 - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, or similar, - its type array should include the matching value — for example, `host` or - `cloud`.' - example: host - default_field: false - - name: geo.city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: geo.continent_code - level: core - type: keyword - ignore_above: 1024 - description: Two-letter code representing continent's name. - example: NA - default_field: false - - name: geo.continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: geo.country_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: geo.country_name - level: core - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: geo.name - level: extended - type: keyword - ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - - name: geo.postal_code - level: core - type: keyword - ignore_above: 1024 - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - default_field: false - - name: geo.region_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: geo.region_name - level: core - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: geo.timezone - level: core - type: keyword - ignore_above: 1024 - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: 'Host MAC addresses. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what hostname returns on Unix systems, the fully qualified - domain name (FQDN), or a name specified by the user. The recommended value - is the lowercase FQDN of the host.' - - name: network.egress.bytes - level: extended - type: long - description: The number of bytes (gauge) sent out on all network interfaces - by the host since the last metric collection. - default_field: false - - name: network.egress.packets - level: extended - type: long - description: The number of packets (gauge) sent out on all network interfaces - by the host since the last metric collection. - default_field: false - - name: network.ingress.bytes - level: extended - type: long - description: The number of bytes received (gauge) on all network interfaces - by the host since the last metric collection. - default_field: false - - name: network.ingress.packets - level: extended - type: long - description: The number of packets (gauge) received on all network interfaces - by the host since the last metric collection. - default_field: false - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: match_only_text - default_field: false - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: match_only_text - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform + description: The name of the model that generated the response. + example: gpt-4-0613 + default_field: false + - name: system level: extended type: keyword ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.type + description: The Generative AI product as identified by the client or server + instrumentation. + example: openai + default_field: false + - name: token.type level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system into - one of the broad commercial families. - - If the OS you''re dealing with is not listed as an expected value, the field - should not be populated. Please let us know by opening an issue with ECS, - to propose its addition.' - example: macos + description: The type of token being counted. + example: input; output default_field: false - - name: os.version + - name: tool.call.id level: extended type: keyword ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: pid_ns_ino + description: The tool call identifier. + example: call_mszuSIzqtI65i1wAUOE8w5H4 + default_field: false + - name: tool.name level: extended type: keyword ignore_above: 1024 - description: This is the inode number of the namespace in the namespace file - system (nsfs). Unsigned int inum in include/linux/ns_common.h. - example: 256383 + description: Name of the tool utilized by the agent. + example: Flights default_field: false - - name: risk.calculated_level + - name: tool.type level: extended type: keyword ignore_above: 1024 - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High + description: Type of the tool utilized by the agent + example: function; extension; datastore default_field: false - - name: risk.calculated_score + - name: usage.input_tokens level: extended - type: float - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 + type: integer + description: The number of tokens used in the GenAI input (prompt). + example: 100 default_field: false - - name: risk.calculated_score_norm + - name: usage.output_tokens level: extended - type: float - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 + type: integer + description: The number of tokens used in the GenAI response (completion). + example: 180 default_field: false - - name: risk.static_level + - name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + default_field: true + fields: + - name: domain level: extended type: keyword ignore_above: 1024 - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - default_field: false - - name: risk.static_score + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id level: extended - type: float - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - default_field: false - - name: risk.static_score_norm + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name level: extended - type: float - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - default_field: false - - name: target.architecture + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + default_field: true + fields: + - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - default_field: false - - name: target.boot.id + - name: boot.id level: extended type: keyword ignore_above: 1024 @@ -4810,7 +4517,7 @@ the proc file in each container. example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 default_field: false - - name: target.cpu.usage + - name: cpu.usage level: extended type: scaled_float description: 'Percent CPU used which is normalized by the number of CPU cores @@ -4822,19 +4529,19 @@ two cores, between 0 and 1.' scaling_factor: 1000 default_field: false - - name: target.disk.read.bytes + - name: disk.read.bytes level: extended type: long description: The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. default_field: false - - name: target.disk.write.bytes + - name: disk.write.bytes level: extended type: long description: The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. default_field: false - - name: target.domain + - name: domain level: extended type: keyword ignore_above: 1024 @@ -4845,7 +4552,7 @@ LDAP provider.' example: CONTOSO default_field: false - - name: target.entity.attributes + - name: entity.attributes level: extended type: object description: A set of static or semi-static attributes of the entity. Usually @@ -4854,7 +4561,7 @@ and correlation of normalized values across different providers/sources and entity types. default_field: false - - name: target.entity.behavior + - name: entity.behavior level: extended type: object description: A set of ephemeral characteristics of the entity, derived from @@ -4863,7 +4570,7 @@ of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types. default_field: false - - name: target.entity.display_name + - name: entity.display_name level: extended type: keyword ignore_above: 1024 @@ -4874,7 +4581,7 @@ operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`). default_field: false - - name: target.entity.id + - name: entity.id level: core type: keyword ignore_above: 1024 @@ -4887,13 +4594,13 @@ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' default_field: false - - name: target.entity.last_seen_timestamp + - name: entity.last_seen_timestamp level: extended type: date description: Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity. default_field: false - - name: target.entity.lifecycle + - name: entity.lifecycle level: extended type: object description: A set of temporal characteristics of the entity. Usually date field @@ -4901,13 +4608,13 @@ of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. default_field: false - - name: target.entity.metrics + - name: entity.metrics level: extended type: object description: Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping. default_field: false - - name: target.entity.name + - name: entity.name level: core type: keyword ignore_above: 1024 @@ -4919,7 +4626,7 @@ For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. default_field: false - - name: target.entity.raw + - name: entity.raw level: extended type: object description: Original, unmodified fields from the source system. Usually flattened @@ -4927,7 +4634,7 @@ fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. default_field: false - - name: target.entity.reference + - name: entity.reference level: extended type: keyword ignore_above: 1024 @@ -4935,14 +4642,22 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false - - name: target.entity.source + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false + - name: entity.source level: core type: keyword ignore_above: 1024 description: The module or integration that provided this entity data (similar to event.module). default_field: false - - name: target.entity.sub_type + - name: entity.sub_type level: extended type: keyword ignore_above: 1024 @@ -4953,7 +4668,7 @@ , `node` , `cloud_instance` would all map to entity type `host`.' example: aws_s3_bucket default_field: false - - name: target.entity.type + - name: entity.type level: core type: keyword ignore_above: 1024 @@ -4966,48 +4681,43 @@ `cloud`.' example: host default_field: false - - name: target.geo.city_name + - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - default_field: false - - name: target.geo.continent_code + - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - - name: target.geo.continent_name + - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - default_field: false - - name: target.geo.country_iso_code + - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - default_field: false - - name: target.geo.country_name + - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - default_field: false - - name: target.geo.location + - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - default_field: false - - name: target.geo.name + - name: geo.name level: extended type: keyword ignore_above: 1024 @@ -5019,8 +4729,7 @@ Not typically used in automated geolocation.' example: boston-dc - default_field: false - - name: target.geo.postal_code + - name: geo.postal_code level: core type: keyword ignore_above: 1024 @@ -5030,36 +4739,33 @@ and will vary widely from country to country.' example: 94040 default_field: false - - name: target.geo.region_iso_code + - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - default_field: false - - name: target.geo.region_name + - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - default_field: false - - name: target.geo.timezone + - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - - name: target.hostname + - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - default_field: false - - name: target.id + - name: id level: core type: keyword ignore_above: 1024 @@ -5068,13 +4774,11 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - default_field: false - - name: target.ip + - name: ip level: core type: ip description: Host ip addresses. - default_field: false - - name: target.mac + - name: mac level: core type: keyword ignore_above: 1024 @@ -5086,8 +4790,7 @@ hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - default_field: false - - name: target.name + - name: name level: core type: keyword ignore_above: 1024 @@ -5096,73 +4799,69 @@ It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - default_field: false - - name: target.network.egress.bytes + - name: network.egress.bytes level: extended type: long description: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. default_field: false - - name: target.network.egress.packets + - name: network.egress.packets level: extended type: long description: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. default_field: false - - name: target.network.ingress.bytes + - name: network.ingress.bytes level: extended type: long description: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. default_field: false - - name: target.network.ingress.packets + - name: network.ingress.packets level: extended type: long description: The number of packets (gauge) received on all network interfaces by the host since the last metric collection. default_field: false - - name: target.os.family + - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - default_field: false - - name: target.os.full + - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text + default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - default_field: false - - name: target.os.kernel + - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - default_field: false - - name: target.os.name + - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text + default_field: false description: Operating system name, without the version. example: Mac OS X - default_field: false - - name: target.os.platform + - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - default_field: false - - name: target.os.type + - name: os.type level: extended type: keyword ignore_above: 1024 @@ -5174,14 +4873,13 @@ to propose its addition.' example: macos default_field: false - - name: target.os.version + - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - default_field: false - - name: target.pid_ns_ino + - name: pid_ns_ino level: extended type: keyword ignore_above: 1024 @@ -5189,7 +4887,7 @@ system (nsfs). Unsigned int inum in include/linux/ns_common.h. example: 256383 default_field: false - - name: target.risk.calculated_level + - name: risk.calculated_level level: extended type: keyword ignore_above: 1024 @@ -5197,14 +4895,14 @@ part of entity analytics and entity risk scoring. example: High default_field: false - - name: target.risk.calculated_score + - name: risk.calculated_score level: extended type: float description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. example: 880.73 default_field: false - - name: target.risk.calculated_score_norm + - name: risk.calculated_score_norm level: extended type: float description: A risk classification score calculated by an internal system as @@ -5212,7 +4910,7 @@ of 0 to 100. example: 88.73 default_field: false - - name: target.risk.static_level + - name: risk.static_level level: extended type: keyword ignore_above: 1024 @@ -5220,14 +4918,14 @@ as from some external Threat Intelligence Platform. example: High default_field: false - - name: target.risk.static_score + - name: risk.static_score level: extended type: float description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. example: 830.0 default_field: false - - name: target.risk.static_score_norm + - name: risk.static_score_norm level: extended type: float description: A risk classification score obtained from outside the system, such @@ -5235,22 +4933,6 @@ of 0 to 100. example: 83.0 default_field: false - - name: target.type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, - this could be the container, for example, or other information meaningful - in your environment.' - default_field: false - - name: target.uptime - level: extended - type: long - description: Seconds the host has been up. - example: 1325 - default_field: false - name: type level: core type: keyword @@ -6146,6 +5828,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: entity.source level: core type: keyword @@ -10097,6 +9787,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: entity.source level: core type: keyword @@ -10330,6 +10028,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: origin.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: origin.entity.source level: core type: keyword @@ -10600,6 +10306,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: target.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: target.entity.source level: core type: keyword @@ -15287,6 +15001,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: changes.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: changes.entity.source level: core type: keyword @@ -15539,6 +15261,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: effective.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: effective.entity.source level: core type: keyword @@ -15775,6 +15505,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: entity.source level: core type: keyword @@ -16015,6 +15753,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: target.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: target.entity.source level: core type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 1bc0421574..15b5782c08 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -69,6 +69,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,cloud,cloud.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,cloud,cloud.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -90,6 +91,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,cloud,cloud.origin.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,cloud,cloud.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -121,6 +123,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,cloud,cloud.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,cloud,cloud.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,cloud,cloud.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -302,6 +305,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,entity,entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,entity,entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. +9.4.0-dev+exp,true,entity,entity.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev+exp,true,entity,entity.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev+exp,true,entity,entity.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.4.0-dev+exp,true,entity,entity.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev+exp,true,entity,entity.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev+exp,true,entity,entity.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. 9.4.0-dev+exp,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity. @@ -316,6 +326,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,entity,entity.target.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,entity,entity.target.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,entity,entity.target.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,entity,entity.target.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. +9.4.0-dev+exp,true,entity,entity.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev+exp,true,entity,entity.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev+exp,true,entity,entity.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.4.0-dev+exp,true,entity,entity.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev+exp,true,entity,entity.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev+exp,true,entity,entity.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. 9.4.0-dev+exp,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -552,6 +569,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,host,host.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,host,host.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,host,host.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -591,65 +609,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.4.0-dev+exp,true,host,host.target.architecture,keyword,core,,x86_64,Operating system architecture. -9.4.0-dev+exp,true,host,host.target.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id -9.4.0-dev+exp,true,host,host.target.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -9.4.0-dev+exp,true,host,host.target.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -9.4.0-dev+exp,true,host,host.target.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -9.4.0-dev+exp,true,host,host.target.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -9.4.0-dev+exp,true,host,host.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. -9.4.0-dev+exp,true,host,host.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." -9.4.0-dev+exp,true,host,host.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. -9.4.0-dev+exp,true,host,host.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. -9.4.0-dev+exp,true,host,host.target.entity.id,keyword,core,,,Unique identifier for the entity. -9.4.0-dev+exp,true,host,host.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" -9.4.0-dev+exp,true,host,host.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. -9.4.0-dev+exp,true,host,host.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. -9.4.0-dev+exp,true,host,host.target.entity.name,keyword,core,,,The name of the entity. -9.4.0-dev+exp,true,host,host.target.entity.name.text,match_only_text,core,,,The name of the entity. -9.4.0-dev+exp,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." -9.4.0-dev+exp,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." -9.4.0-dev+exp,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. -9.4.0-dev+exp,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. -9.4.0-dev+exp,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. -9.4.0-dev+exp,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name. -9.4.0-dev+exp,true,host,host.target.geo.continent_code,keyword,core,,NA,Continent code. -9.4.0-dev+exp,true,host,host.target.geo.continent_name,keyword,core,,North America,Name of the continent. -9.4.0-dev+exp,true,host,host.target.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.4.0-dev+exp,true,host,host.target.geo.country_name,keyword,core,,Canada,Country name. -9.4.0-dev+exp,true,host,host.target.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.4.0-dev+exp,true,host,host.target.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.4.0-dev+exp,true,host,host.target.geo.postal_code,keyword,core,,94040,Postal code. -9.4.0-dev+exp,true,host,host.target.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.4.0-dev+exp,true,host,host.target.geo.region_name,keyword,core,,Quebec,Region name. -9.4.0-dev+exp,true,host,host.target.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.4.0-dev+exp,true,host,host.target.hostname,keyword,core,,,Hostname of the host. -9.4.0-dev+exp,true,host,host.target.id,keyword,core,,,Unique host id. -9.4.0-dev+exp,true,host,host.target.ip,ip,core,array,,Host ip addresses. -9.4.0-dev+exp,true,host,host.target.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. -9.4.0-dev+exp,true,host,host.target.name,keyword,core,,,Name of the host. -9.4.0-dev+exp,true,host,host.target.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -9.4.0-dev+exp,true,host,host.target.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. -9.4.0-dev+exp,true,host,host.target.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -9.4.0-dev+exp,true,host,host.target.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. -9.4.0-dev+exp,true,host,host.target.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -9.4.0-dev+exp,true,host,host.target.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.4.0-dev+exp,true,host,host.target.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.4.0-dev+exp,true,host,host.target.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -9.4.0-dev+exp,true,host,host.target.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -9.4.0-dev+exp,true,host,host.target.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -9.4.0-dev+exp,true,host,host.target.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -9.4.0-dev+exp,true,host,host.target.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -9.4.0-dev+exp,true,host,host.target.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -9.4.0-dev+exp,true,host,host.target.pid_ns_ino,keyword,extended,,256383,Pid namespace inode -9.4.0-dev+exp,true,host,host.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -9.4.0-dev+exp,true,host,host.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -9.4.0-dev+exp,true,host,host.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -9.4.0-dev+exp,true,host,host.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -9.4.0-dev+exp,true,host,host.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -9.4.0-dev+exp,true,host,host.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.4.0-dev+exp,true,host,host.target.type,keyword,core,,,Type of host. -9.4.0-dev+exp,true,host,host.target.uptime,long,extended,,1325,Seconds the host has been up. 9.4.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. 9.4.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 9.4.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. @@ -761,6 +720,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,orchestrator,orchestrator.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1292,6 +1252,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,service,service.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,service,service.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1315,6 +1276,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,service,service.origin.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,service,service.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1342,6 +1304,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,service,service.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,service,service.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,service,service.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1954,6 +1917,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,user,user.changes.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,user,user.changes.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1988,6 +1952,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,user,user.effective.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,user,user.effective.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -2020,6 +1985,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,user,user.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,user,user.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -2053,6 +2019,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev+exp,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,user,user.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev+exp,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,user,user.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,user,user.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index c208cb7bb8..75da8fbdb2 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -847,6 +847,20 @@ cloud.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +cloud.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: cloud.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-entity-source @@ -1180,6 +1194,20 @@ cloud.origin.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +cloud.origin.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-origin-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: cloud.origin.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.origin.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-source @@ -1659,6 +1687,20 @@ cloud.target.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +cloud.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-target-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: cloud.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.target.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-source @@ -4075,6 +4117,99 @@ entity.reference: normalize: [] short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +entity.relationship: + beta: This field is beta and subject to change. + dashed_name: entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.relationship + level: extended + name: relationship + normalize: [] + short: A set of relationship attributes that can vary between entity types. + type: object +entity.risk.calculated_level: + dashed_name: entity-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: entity.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +entity.risk.calculated_score: + dashed_name: entity-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: entity.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +entity.risk.calculated_score_norm: + dashed_name: entity-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: entity.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +entity.risk.static_level: + dashed_name: entity-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: entity.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +entity.risk.static_score: + dashed_name: entity-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: entity.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +entity.risk.static_score_norm: + dashed_name: entity-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: entity.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float entity.source: beta: This field is beta and subject to change. dashed_name: entity-source @@ -4254,6 +4389,100 @@ entity.target.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +entity.target.relationship: + beta: This field is beta and subject to change. + dashed_name: entity-target-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.target.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object +entity.target.risk.calculated_level: + dashed_name: entity-target-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: entity.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +entity.target.risk.calculated_score: + dashed_name: entity-target-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: entity.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +entity.target.risk.calculated_score_norm: + dashed_name: entity-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: entity.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +entity.target.risk.static_level: + dashed_name: entity-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: entity.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +entity.target.risk.static_score: + dashed_name: entity-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: entity.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +entity.target.risk.static_score_norm: + dashed_name: entity-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: entity.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float entity.target.source: beta: This field is beta and subject to change. dashed_name: entity-target-source @@ -7795,857 +8024,43 @@ host.disk.write.bytes: stability: development short: The number of bytes written on all disks. type: long -host.domain: - dashed_name: host-domain - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS - domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - flat_name: host.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - short: Name of the directory the group is a member of. - type: keyword -host.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: host-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: host.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -host.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: host-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: host.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -host.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: host-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: host.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -host.entity.id: - dashed_name: host-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: host.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -host.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: host-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: host.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -host.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: host-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: host.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -host.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: host-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: host.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -host.entity.name: - beta: This field is beta and subject to change. - dashed_name: host-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: host.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: host.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -host.entity.raw: - beta: This field is beta and subject to change. - dashed_name: host-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: host.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -host.entity.reference: - beta: This field is beta and subject to change. - dashed_name: host-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: host.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -host.entity.source: - beta: This field is beta and subject to change. - dashed_name: host-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: host.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -host.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: host-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: host.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -host.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: host-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, or similar, its type - array should include the matching value — for example, `host` or `cloud`.' - example: host - flat_name: host.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -host.geo.city_name: - dashed_name: host-geo-city-name - description: City name. - example: Montreal - flat_name: host.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -host.geo.continent_code: - dashed_name: host-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: host.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -host.geo.continent_name: - dashed_name: host-geo-continent-name - description: Name of the continent. - example: North America - flat_name: host.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -host.geo.country_iso_code: - dashed_name: host-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: host.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -host.geo.country_name: - dashed_name: host-geo-country-name - description: Country name. - example: Canada - flat_name: host.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -host.geo.location: - dashed_name: host-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: host.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -host.geo.name: - dashed_name: host-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: host.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -host.geo.postal_code: - dashed_name: host-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: host.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -host.geo.region_iso_code: - dashed_name: host-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: host.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -host.geo.region_name: - dashed_name: host-geo-region-name - description: Region name. - example: Quebec - flat_name: host.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -host.geo.timezone: - dashed_name: host-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: host.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -host.hostname: - dashed_name: host-hostname - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - flat_name: host.hostname - ignore_above: 1024 - level: core - name: hostname - normalize: [] - short: Hostname of the host. - type: keyword -host.id: - dashed_name: host-id - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - flat_name: host.id - ignore_above: 1024 - level: core - name: id - normalize: [] - otel: - - relation: match - stability: development - short: Unique host id. - type: keyword -host.ip: - dashed_name: host-ip - description: Host ip addresses. - flat_name: host.ip - level: core - name: ip - normalize: - - array - otel: - - relation: match - stability: development - short: Host ip addresses. - synthetic_source_keep: none - type: ip -host.mac: - dashed_name: host-mac - description: 'Host MAC addresses. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - flat_name: host.mac - ignore_above: 1024 - level: core - name: mac - normalize: - - array - otel: - - relation: match - stability: development - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: Host MAC addresses. - synthetic_source_keep: none - type: keyword -host.name: - dashed_name: host-name - description: 'Name of the host. - - It can contain what hostname returns on Unix systems, the fully qualified domain - name (FQDN), or a name specified by the user. The recommended value is the lowercase - FQDN of the host.' - flat_name: host.name - ignore_above: 1024 - level: core - name: name - normalize: [] - otel: - - relation: match - stability: development - short: Name of the host. - type: keyword -host.network.egress.bytes: - dashed_name: host-network-egress-bytes - description: The number of bytes (gauge) sent out on all network interfaces by the - host since the last metric collection. - flat_name: host.network.egress.bytes - level: extended - name: network.egress.bytes - normalize: [] - otel: - - metric: system.network.io - relation: metric - stability: development - short: The number of bytes sent on all network interfaces. - type: long -host.network.egress.packets: - dashed_name: host-network-egress-packets - description: The number of packets (gauge) sent out on all network interfaces by - the host since the last metric collection. - flat_name: host.network.egress.packets - level: extended - name: network.egress.packets - normalize: [] - otel: - - metric: system.network.packet.count - relation: metric - stability: development - short: The number of packets sent on all network interfaces. - type: long -host.network.ingress.bytes: - dashed_name: host-network-ingress-bytes - description: The number of bytes received (gauge) on all network interfaces by the - host since the last metric collection. - flat_name: host.network.ingress.bytes - level: extended - name: network.ingress.bytes - normalize: [] - otel: - - metric: system.network.io - relation: metric - stability: development - short: The number of bytes received on all network interfaces. - type: long -host.network.ingress.packets: - dashed_name: host-network-ingress-packets - description: The number of packets (gauge) received on all network interfaces by - the host since the last metric collection. - flat_name: host.network.ingress.packets - level: extended - name: network.ingress.packets - normalize: [] - otel: - - metric: system.network.packet.count - relation: metric - stability: development - short: The number of packets received on all network interfaces. - type: long -host.os.family: - dashed_name: host-os-family - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - flat_name: host.os.family - ignore_above: 1024 - level: extended - name: family - normalize: [] - original_fieldset: os - short: OS family (such as redhat, debian, freebsd, windows). - type: keyword -host.os.full: - dashed_name: host-os-full - description: Operating system name, including the version or code name. - example: Mac OS Mojave - flat_name: host.os.full - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.os.full.text - name: text - type: match_only_text - name: full - normalize: [] - original_fieldset: os - short: Operating system name, including the version or code name. - type: keyword -host.os.kernel: - dashed_name: host-os-kernel - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - flat_name: host.os.kernel - ignore_above: 1024 - level: extended - name: kernel - normalize: [] - original_fieldset: os - short: Operating system kernel version as a raw string. - type: keyword -host.os.name: - dashed_name: host-os-name - description: Operating system name, without the version. - example: Mac OS X - flat_name: host.os.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.os.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: os - short: Operating system name, without the version. - type: keyword -host.os.platform: - dashed_name: host-os-platform - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - flat_name: host.os.platform - ignore_above: 1024 - level: extended - name: platform - normalize: [] - original_fieldset: os - short: Operating system platform (such centos, ubuntu, windows). - type: keyword -host.os.type: - dashed_name: host-os-type - description: 'Use the `os.type` field to categorize the operating system into one - of the broad commercial families. - - If the OS you''re dealing with is not listed as an expected value, the field should - not be populated. Please let us know by opening an issue with ECS, to propose - its addition.' - example: macos - expected_values: - - linux - - macos - - unix - - windows - - ios - - android - flat_name: host.os.type - ignore_above: 1024 - level: extended - name: type - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or - android).' - type: keyword -host.os.version: - dashed_name: host-os-version - description: Operating system version as a raw string. - example: 10.14.1 - flat_name: host.os.version - ignore_above: 1024 - level: extended - name: version - normalize: [] - original_fieldset: os - short: Operating system version as a raw string. - type: keyword -host.pid_ns_ino: - dashed_name: host-pid-ns-ino - description: This is the inode number of the namespace in the namespace file system - (nsfs). Unsigned int inum in include/linux/ns_common.h. - example: 256383 - flat_name: host.pid_ns_ino - ignore_above: 1024 - level: extended - name: pid_ns_ino - normalize: [] - short: Pid namespace inode - type: keyword -host.risk.calculated_level: - dashed_name: host-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: host.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -host.risk.calculated_score: - dashed_name: host-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: host.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -host.risk.calculated_score_norm: - dashed_name: host-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: host.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -host.risk.static_level: - dashed_name: host-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: host.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -host.risk.static_score: - dashed_name: host-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: host.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -host.risk.static_score_norm: - dashed_name: host-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: host.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -host.target.architecture: - dashed_name: host-target-architecture - description: Operating system architecture. - example: x86_64 - flat_name: host.target.architecture - ignore_above: 1024 - level: core - name: architecture - normalize: [] - original_fieldset: host - short: Operating system architecture. - type: keyword -host.target.boot.id: - dashed_name: host-target-boot-id - description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the - boot_id value from /proc may or may not be the same in containers as on the host. - Some container runtimes will bind mount a new boot_id value onto the proc file - in each container. - example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 - flat_name: host.target.boot.id - ignore_above: 1024 - level: extended - name: boot.id - normalize: [] - original_fieldset: host - short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id - type: keyword -host.target.cpu.usage: - dashed_name: host-target-cpu-usage - description: 'Percent CPU used which is normalized by the number of CPU cores and - it ranges from 0 to 1. - - Scaling factor: 1000. - - For example: For a two core host, this value should be the average of the two - cores, between 0 and 1.' - flat_name: host.target.cpu.usage - level: extended - name: cpu.usage - normalize: [] - original_fieldset: host - scaling_factor: 1000 - short: Percent CPU used, between 0 and 1. - type: scaled_float -host.target.disk.read.bytes: - dashed_name: host-target-disk-read-bytes - description: The total number of bytes (gauge) read successfully (aggregated from - all disks) since the last metric collection. - flat_name: host.target.disk.read.bytes - level: extended - name: disk.read.bytes - normalize: [] - original_fieldset: host - short: The number of bytes read by all disks. - type: long -host.target.disk.write.bytes: - dashed_name: host-target-disk-write-bytes - description: The total number of bytes (gauge) written successfully (aggregated - from all disks) since the last metric collection. - flat_name: host.target.disk.write.bytes - level: extended - name: disk.write.bytes - normalize: [] - original_fieldset: host - short: The number of bytes written on all disks. - type: long -host.target.domain: - dashed_name: host-target-domain +host.domain: + dashed_name: host-domain description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO - flat_name: host.target.domain + flat_name: host.domain ignore_above: 1024 level: extended name: domain normalize: [] - original_fieldset: host short: Name of the directory the group is a member of. type: keyword -host.target.entity.attributes: +host.entity.attributes: beta: This field is beta and subject to change. - dashed_name: host-target-entity-attributes + dashed_name: host-entity-attributes description: A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.attributes + flat_name: host.entity.attributes level: extended name: attributes normalize: [] original_fieldset: entity short: A set of static or semi-static attributes of the entity. type: object -host.target.entity.behavior: +host.entity.behavior: beta: This field is beta and subject to change. - dashed_name: host-target-entity-behavior + dashed_name: host-entity-behavior description: A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.behavior + flat_name: host.entity.behavior level: extended name: behavior normalize: [] @@ -8653,17 +8068,17 @@ host.target.entity.behavior: short: A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. type: object -host.target.entity.display_name: +host.entity.display_name: beta: This field is beta and subject to change. - dashed_name: host-target-entity-display-name + dashed_name: host-entity-display-name description: An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`). - flat_name: host.target.entity.display_name + flat_name: host.entity.display_name ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.entity.display_name.text + - flat_name: host.entity.display_name.text name: text type: match_only_text name: display_name @@ -8671,8 +8086,8 @@ host.target.entity.display_name: original_fieldset: entity short: An optional field used when a pretty name is desired for entity-centric operations. type: keyword -host.target.entity.id: - dashed_name: host-target-entity-id +host.entity.id: + dashed_name: host-entity-id description: 'A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is @@ -8680,7 +8095,7 @@ host.target.entity.id: observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: host.target.entity.id + flat_name: host.entity.id ignore_above: 1024 level: core name: id @@ -8688,56 +8103,56 @@ host.target.entity.id: original_fieldset: entity short: Unique identifier for the entity. type: keyword -host.target.entity.last_seen_timestamp: +host.entity.last_seen_timestamp: beta: This field is beta and subject to change. - dashed_name: host-target-entity-last-seen-timestamp + dashed_name: host-entity-last-seen-timestamp description: Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity. - flat_name: host.target.entity.last_seen_timestamp + flat_name: host.entity.last_seen_timestamp level: extended name: last_seen_timestamp normalize: [] original_fieldset: entity short: Indicates the date/time when this entity was last "seen." type: date -host.target.entity.lifecycle: +host.entity.lifecycle: beta: This field is beta and subject to change. - dashed_name: host-target-entity-lifecycle + dashed_name: host-entity-lifecycle description: A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.lifecycle + flat_name: host.entity.lifecycle level: extended name: lifecycle normalize: [] original_fieldset: entity short: A set of temporal characteristics of the entity. type: object -host.target.entity.metrics: +host.entity.metrics: beta: This field is beta and subject to change. - dashed_name: host-target-entity-metrics + dashed_name: host-entity-metrics description: Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping. - flat_name: host.target.entity.metrics + flat_name: host.entity.metrics level: extended name: metrics normalize: [] original_fieldset: entity short: Field set for any fields containing numeric entity metrics. type: object -host.target.entity.name: +host.entity.name: beta: This field is beta and subject to change. - dashed_name: host-target-entity-name + dashed_name: host-entity-name description: The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. - flat_name: host.target.entity.name + flat_name: host.entity.name ignore_above: 1024 level: core multi_fields: - - flat_name: host.target.entity.name.text + - flat_name: host.entity.name.text name: text type: match_only_text name: name @@ -8745,27 +8160,27 @@ host.target.entity.name: original_fieldset: entity short: The name of the entity. type: keyword -host.target.entity.raw: +host.entity.raw: beta: This field is beta and subject to change. - dashed_name: host-target-entity-raw + dashed_name: host-entity-raw description: Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. - flat_name: host.target.entity.raw + flat_name: host.entity.raw level: extended name: raw normalize: [] original_fieldset: entity short: Original, unmodified fields from the source system. type: object -host.target.entity.reference: +host.entity.reference: beta: This field is beta and subject to change. - dashed_name: host-target-entity-reference + dashed_name: host-entity-reference description: A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. - flat_name: host.target.entity.reference + flat_name: host.entity.reference ignore_above: 1024 level: extended name: reference @@ -8773,12 +8188,26 @@ host.target.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword -host.target.entity.source: +host.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: host-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object +host.entity.source: beta: This field is beta and subject to change. - dashed_name: host-target-entity-source + dashed_name: host-entity-source description: The module or integration that provided this entity data (similar to event.module). - flat_name: host.target.entity.source + flat_name: host.entity.source ignore_above: 1024 level: core name: source @@ -8786,16 +8215,16 @@ host.target.entity.source: original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword -host.target.entity.sub_type: +host.entity.sub_type: beta: This field is beta and subject to change. - dashed_name: host-target-entity-sub-type + dashed_name: host-entity-sub-type description: 'The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.' example: aws_s3_bucket - flat_name: host.target.entity.sub_type + flat_name: host.entity.sub_type ignore_above: 1024 level: extended name: sub_type @@ -8804,7 +8233,7 @@ host.target.entity.sub_type: short: The specific type designation for the entity as defined by its provider or system. type: keyword -host.target.entity.type: +host.entity.type: allowed_values: - description: Represents a storage container or bucket, typically used for object storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, @@ -8865,7 +8294,7 @@ host.target.entity.type: of containers or workloads. name: orchestrator beta: This field is beta and subject to change. - dashed_name: host-target-entity-type + dashed_name: host-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, @@ -8873,7 +8302,7 @@ host.target.entity.type: nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.' example: host - flat_name: host.target.entity.type + flat_name: host.entity.type ignore_above: 1024 level: core name: type @@ -8882,11 +8311,11 @@ host.target.entity.type: original_fieldset: entity short: Standardized high-level classification of the entity. type: keyword -host.target.geo.city_name: - dashed_name: host-target-geo-city-name +host.geo.city_name: + dashed_name: host-geo-city-name description: City name. example: Montreal - flat_name: host.target.geo.city_name + flat_name: host.geo.city_name ignore_above: 1024 level: core name: city_name @@ -8894,11 +8323,11 @@ host.target.geo.city_name: original_fieldset: geo short: City name. type: keyword -host.target.geo.continent_code: - dashed_name: host-target-geo-continent-code +host.geo.continent_code: + dashed_name: host-geo-continent-code description: Two-letter code representing continent's name. example: NA - flat_name: host.target.geo.continent_code + flat_name: host.geo.continent_code ignore_above: 1024 level: core name: continent_code @@ -8906,11 +8335,11 @@ host.target.geo.continent_code: original_fieldset: geo short: Continent code. type: keyword -host.target.geo.continent_name: - dashed_name: host-target-geo-continent-name +host.geo.continent_name: + dashed_name: host-geo-continent-name description: Name of the continent. example: North America - flat_name: host.target.geo.continent_name + flat_name: host.geo.continent_name ignore_above: 1024 level: core name: continent_name @@ -8918,11 +8347,11 @@ host.target.geo.continent_name: original_fieldset: geo short: Name of the continent. type: keyword -host.target.geo.country_iso_code: - dashed_name: host-target-geo-country-iso-code +host.geo.country_iso_code: + dashed_name: host-geo-country-iso-code description: Country ISO code. example: CA - flat_name: host.target.geo.country_iso_code + flat_name: host.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code @@ -8930,11 +8359,11 @@ host.target.geo.country_iso_code: original_fieldset: geo short: Country ISO code. type: keyword -host.target.geo.country_name: - dashed_name: host-target-geo-country-name +host.geo.country_name: + dashed_name: host-geo-country-name description: Country name. example: Canada - flat_name: host.target.geo.country_name + flat_name: host.geo.country_name ignore_above: 1024 level: core name: country_name @@ -8942,19 +8371,19 @@ host.target.geo.country_name: original_fieldset: geo short: Country name. type: keyword -host.target.geo.location: - dashed_name: host-target-geo-location +host.geo.location: + dashed_name: host-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: host.target.geo.location + flat_name: host.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point -host.target.geo.name: - dashed_name: host-target-geo-name +host.geo.name: + dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -8963,7 +8392,7 @@ host.target.geo.name: Not typically used in automated geolocation.' example: boston-dc - flat_name: host.target.geo.name + flat_name: host.geo.name ignore_above: 1024 level: extended name: name @@ -8971,14 +8400,14 @@ host.target.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword -host.target.geo.postal_code: - dashed_name: host-target-geo-postal-code +host.geo.postal_code: + dashed_name: host-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 - flat_name: host.target.geo.postal_code + flat_name: host.geo.postal_code ignore_above: 1024 level: core name: postal_code @@ -8986,11 +8415,11 @@ host.target.geo.postal_code: original_fieldset: geo short: Postal code. type: keyword -host.target.geo.region_iso_code: - dashed_name: host-target-geo-region-iso-code +host.geo.region_iso_code: + dashed_name: host-geo-region-iso-code description: Region ISO code. example: CA-QC - flat_name: host.target.geo.region_iso_code + flat_name: host.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code @@ -8998,11 +8427,11 @@ host.target.geo.region_iso_code: original_fieldset: geo short: Region ISO code. type: keyword -host.target.geo.region_name: - dashed_name: host-target-geo-region-name +host.geo.region_name: + dashed_name: host-geo-region-name description: Region name. example: Quebec - flat_name: host.target.geo.region_name + flat_name: host.geo.region_name ignore_above: 1024 level: core name: region_name @@ -9010,11 +8439,11 @@ host.target.geo.region_name: original_fieldset: geo short: Region name. type: keyword -host.target.geo.timezone: - dashed_name: host-target-geo-timezone +host.geo.timezone: + dashed_name: host-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires - flat_name: host.target.geo.timezone + flat_name: host.geo.timezone ignore_above: 1024 level: core name: timezone @@ -9022,129 +8451,148 @@ host.target.geo.timezone: original_fieldset: geo short: Time zone. type: keyword -host.target.hostname: - dashed_name: host-target-hostname +host.hostname: + dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - flat_name: host.target.hostname + flat_name: host.hostname ignore_above: 1024 level: core name: hostname normalize: [] - original_fieldset: host short: Hostname of the host. type: keyword -host.target.id: - dashed_name: host-target-id +host.id: + dashed_name: host-id description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - flat_name: host.target.id + flat_name: host.id ignore_above: 1024 level: core name: id normalize: [] - original_fieldset: host + otel: + - relation: match + stability: development short: Unique host id. type: keyword -host.target.ip: - dashed_name: host-target-ip +host.ip: + dashed_name: host-ip description: Host ip addresses. - flat_name: host.target.ip + flat_name: host.ip level: core name: ip normalize: - array - original_fieldset: host + otel: + - relation: match + stability: development short: Host ip addresses. synthetic_source_keep: none type: ip -host.target.mac: - dashed_name: host-target-mac +host.mac: + dashed_name: host-mac description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - flat_name: host.target.mac + flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array - original_fieldset: host + otel: + - relation: match + stability: development pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. synthetic_source_keep: none type: keyword -host.target.name: - dashed_name: host-target-name +host.name: + dashed_name: host-name description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - flat_name: host.target.name + flat_name: host.name ignore_above: 1024 level: core name: name normalize: [] - original_fieldset: host + otel: + - relation: match + stability: development short: Name of the host. type: keyword -host.target.network.egress.bytes: - dashed_name: host-target-network-egress-bytes +host.network.egress.bytes: + dashed_name: host-network-egress-bytes description: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.egress.bytes + flat_name: host.network.egress.bytes level: extended name: network.egress.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.network.io + relation: metric + stability: development short: The number of bytes sent on all network interfaces. type: long -host.target.network.egress.packets: - dashed_name: host-target-network-egress-packets +host.network.egress.packets: + dashed_name: host-network-egress-packets description: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.egress.packets + flat_name: host.network.egress.packets level: extended name: network.egress.packets normalize: [] - original_fieldset: host + otel: + - metric: system.network.packet.count + relation: metric + stability: development short: The number of packets sent on all network interfaces. type: long -host.target.network.ingress.bytes: - dashed_name: host-target-network-ingress-bytes +host.network.ingress.bytes: + dashed_name: host-network-ingress-bytes description: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.ingress.bytes + flat_name: host.network.ingress.bytes level: extended name: network.ingress.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.network.io + relation: metric + stability: development short: The number of bytes received on all network interfaces. type: long -host.target.network.ingress.packets: - dashed_name: host-target-network-ingress-packets +host.network.ingress.packets: + dashed_name: host-network-ingress-packets description: The number of packets (gauge) received on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.ingress.packets + flat_name: host.network.ingress.packets level: extended name: network.ingress.packets normalize: [] - original_fieldset: host + otel: + - metric: system.network.packet.count + relation: metric + stability: development short: The number of packets received on all network interfaces. type: long -host.target.os.family: - dashed_name: host-target-os-family +host.os.family: + dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). example: debian - flat_name: host.target.os.family + flat_name: host.os.family ignore_above: 1024 level: extended name: family @@ -9152,15 +8600,15 @@ host.target.os.family: original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). type: keyword -host.target.os.full: - dashed_name: host-target-os-full +host.os.full: + dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave - flat_name: host.target.os.full + flat_name: host.os.full ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.os.full.text + - flat_name: host.os.full.text name: text type: match_only_text name: full @@ -9168,11 +8616,11 @@ host.target.os.full: original_fieldset: os short: Operating system name, including the version or code name. type: keyword -host.target.os.kernel: - dashed_name: host-target-os-kernel +host.os.kernel: + dashed_name: host-os-kernel description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - flat_name: host.target.os.kernel + flat_name: host.os.kernel ignore_above: 1024 level: extended name: kernel @@ -9180,15 +8628,15 @@ host.target.os.kernel: original_fieldset: os short: Operating system kernel version as a raw string. type: keyword -host.target.os.name: - dashed_name: host-target-os-name +host.os.name: + dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X - flat_name: host.target.os.name + flat_name: host.os.name ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.os.name.text + - flat_name: host.os.name.text name: text type: match_only_text name: name @@ -9196,11 +8644,11 @@ host.target.os.name: original_fieldset: os short: Operating system name, without the version. type: keyword -host.target.os.platform: - dashed_name: host-target-os-platform +host.os.platform: + dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). example: darwin - flat_name: host.target.os.platform + flat_name: host.os.platform ignore_above: 1024 level: extended name: platform @@ -9208,8 +8656,8 @@ host.target.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword -host.target.os.type: - dashed_name: host-target-os-type +host.os.type: + dashed_name: host-os-type description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. @@ -9224,7 +8672,7 @@ host.target.os.type: - windows - ios - android - flat_name: host.target.os.type + flat_name: host.os.type ignore_above: 1024 level: extended name: type @@ -9233,11 +8681,11 @@ host.target.os.type: short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).' type: keyword -host.target.os.version: - dashed_name: host-target-os-version +host.os.version: + dashed_name: host-os-version description: Operating system version as a raw string. example: 10.14.1 - flat_name: host.target.os.version + flat_name: host.os.version ignore_above: 1024 level: extended name: version @@ -9245,25 +8693,24 @@ host.target.os.version: original_fieldset: os short: Operating system version as a raw string. type: keyword -host.target.pid_ns_ino: - dashed_name: host-target-pid-ns-ino +host.pid_ns_ino: + dashed_name: host-pid-ns-ino description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. example: 256383 - flat_name: host.target.pid_ns_ino + flat_name: host.pid_ns_ino ignore_above: 1024 level: extended name: pid_ns_ino normalize: [] - original_fieldset: host short: Pid namespace inode type: keyword -host.target.risk.calculated_level: - dashed_name: host-target-risk-calculated-level +host.risk.calculated_level: + dashed_name: host-risk-calculated-level description: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. example: High - flat_name: host.target.risk.calculated_level + flat_name: host.risk.calculated_level ignore_above: 1024 level: extended name: calculated_level @@ -9272,12 +8719,12 @@ host.target.risk.calculated_level: short: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword -host.target.risk.calculated_score: - dashed_name: host-target-risk-calculated-score +host.risk.calculated_score: + dashed_name: host-risk-calculated-score description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. example: 880.73 - flat_name: host.target.risk.calculated_score + flat_name: host.risk.calculated_score level: extended name: calculated_score normalize: [] @@ -9285,25 +8732,25 @@ host.target.risk.calculated_score: short: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float -host.target.risk.calculated_score_norm: - dashed_name: host-target-risk-calculated-score-norm +host.risk.calculated_score_norm: + dashed_name: host-risk-calculated-score-norm description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. example: 88.73 - flat_name: host.target.risk.calculated_score_norm + flat_name: host.risk.calculated_score_norm level: extended name: calculated_score_norm normalize: [] original_fieldset: risk short: A normalized risk score calculated by an internal system. type: float -host.target.risk.static_level: - dashed_name: host-target-risk-static-level +host.risk.static_level: + dashed_name: host-risk-static-level description: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. example: High - flat_name: host.target.risk.static_level + flat_name: host.risk.static_level ignore_above: 1024 level: extended name: static_level @@ -9312,12 +8759,12 @@ host.target.risk.static_level: short: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword -host.target.risk.static_score: - dashed_name: host-target-risk-static-score +host.risk.static_score: + dashed_name: host-risk-static-score description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. example: 830.0 - flat_name: host.target.risk.static_score + flat_name: host.risk.static_score level: extended name: static_score normalize: [] @@ -9325,44 +8772,19 @@ host.target.risk.static_score: short: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float -host.target.risk.static_score_norm: - dashed_name: host-target-risk-static-score-norm +host.risk.static_score_norm: + dashed_name: host-risk-static-score-norm description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. example: 83.0 - flat_name: host.target.risk.static_score_norm + flat_name: host.risk.static_score_norm level: extended name: static_score_norm normalize: [] original_fieldset: risk short: A normalized risk score calculated by an external system. type: float -host.target.type: - dashed_name: host-target-type - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this - could be the container, for example, or other information meaningful in your environment.' - flat_name: host.target.type - ignore_above: 1024 - level: core - name: type - normalize: [] - original_fieldset: host - short: Type of host. - type: keyword -host.target.uptime: - dashed_name: host-target-uptime - description: Seconds the host has been up. - example: 1325 - flat_name: host.target.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: host - short: Seconds the host has been up. - type: long host.type: dashed_name: host-type description: 'Type of host. @@ -10847,6 +10269,20 @@ orchestrator.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +orchestrator.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: orchestrator-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: orchestrator.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object orchestrator.entity.source: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-source @@ -17327,6 +16763,20 @@ service.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +service.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: service.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.entity.source: beta: This field is beta and subject to change. dashed_name: service-entity-source @@ -17747,6 +17197,20 @@ service.origin.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +service.origin.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-origin-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: service.origin.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.origin.entity.source: beta: This field is beta and subject to change. dashed_name: service-origin-entity-source @@ -18216,6 +17680,20 @@ service.target.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +service.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-target-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: service.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.target.entity.source: beta: This field is beta and subject to change. dashed_name: service-target-entity-source @@ -26179,6 +25657,20 @@ user.changes.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +user.changes.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-changes-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: user.changes.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.changes.entity.source: beta: This field is beta and subject to change. dashed_name: user-changes-entity-source @@ -26662,6 +26154,20 @@ user.effective.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +user.effective.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-effective-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: user.effective.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.effective.entity.source: beta: This field is beta and subject to change. dashed_name: user-effective-entity-source @@ -27122,6 +26628,20 @@ user.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +user.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: user.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.entity.source: beta: This field is beta and subject to change. dashed_name: user-entity-source @@ -27603,6 +27123,20 @@ user.target.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +user.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-target-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: user.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.target.entity.source: beta: This field is beta and subject to change. dashed_name: user-target-entity-source diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f8bed202fb..15f3a7e717 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1051,6 +1051,20 @@ cloud: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + cloud.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: cloud.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-entity-source @@ -1390,6 +1404,20 @@ cloud: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + cloud.origin.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-origin-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: cloud.origin.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.origin.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-source @@ -1875,6 +1903,20 @@ cloud: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + cloud.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-target-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: cloud.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.target.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-source @@ -5106,6 +5148,99 @@ entity: normalize: [] short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + entity.relationship: + beta: This field is beta and subject to change. + dashed_name: entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: entity.relationship + level: extended + name: relationship + normalize: [] + short: A set of relationship attributes that can vary between entity types. + type: object + entity.risk.calculated_level: + dashed_name: entity-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: entity.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + entity.risk.calculated_score: + dashed_name: entity-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: entity.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + entity.risk.calculated_score_norm: + dashed_name: entity-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: entity.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + entity.risk.static_level: + dashed_name: entity-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: entity.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + entity.risk.static_score: + dashed_name: entity-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: entity.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + entity.risk.static_score_norm: + dashed_name: entity-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: entity.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float entity.source: beta: This field is beta and subject to change. dashed_name: entity-source @@ -5288,6 +5423,100 @@ entity: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + entity.target.relationship: + beta: This field is beta and subject to change. + dashed_name: entity-target-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: entity.target.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object + entity.target.risk.calculated_level: + dashed_name: entity-target-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: entity.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + entity.target.risk.calculated_score: + dashed_name: entity-target-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: entity.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + entity.target.risk.calculated_score_norm: + dashed_name: entity-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: entity.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + entity.target.risk.static_level: + dashed_name: entity-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: entity.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + entity.target.risk.static_score: + dashed_name: entity-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: entity.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + entity.target.risk.static_score_norm: + dashed_name: entity-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: entity.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float entity.target.source: beta: This field is beta and subject to change. dashed_name: entity-target-source @@ -5488,6 +5717,7 @@ entity: group: 2 name: entity nestings: + - entity.risk - entity.target prefix: entity. reusable: @@ -5513,6 +5743,9 @@ entity: short_override: Targeted entity of action taken. top_level: true reused_here: + - full: entity.risk + schema_name: risk + short: Fields for describing risk score and level. - full: entity.target schema_name: entity short: Targeted entity of action taken. @@ -9343,886 +9576,64 @@ host: name: disk.read.bytes normalize: [] otel: - - metric: system.disk.io - relation: metric - stability: development - short: The number of bytes read by all disks. - type: long - host.disk.write.bytes: - dashed_name: host-disk-write-bytes - description: The total number of bytes (gauge) written successfully (aggregated - from all disks) since the last metric collection. - flat_name: host.disk.write.bytes - level: extended - name: disk.write.bytes - normalize: [] - otel: - - metric: system.disk.io - relation: metric - stability: development - short: The number of bytes written on all disks. - type: long - host.domain: - dashed_name: host-domain - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain - or NetBIOS domain name. For Linux this could be the domain of the host''s - LDAP provider.' - example: CONTOSO - flat_name: host.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - short: Name of the directory the group is a member of. - type: keyword - host.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: host-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: host.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - host.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: host-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: host.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - host.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: host-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: host.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - host.entity.id: - dashed_name: host-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: host.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - host.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: host-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: host.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - host.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: host-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: host.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - host.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: host-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: host.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - host.entity.name: - beta: This field is beta and subject to change. - dashed_name: host-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: host.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: host.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - host.entity.raw: - beta: This field is beta and subject to change. - dashed_name: host-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: host.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - host.entity.reference: - beta: This field is beta and subject to change. - dashed_name: host-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: host.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - host.entity.source: - beta: This field is beta and subject to change. - dashed_name: host-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: host.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - host.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: host-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: host.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - host.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: host-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, or similar, - its type array should include the matching value — for example, `host` or - `cloud`.' - example: host - flat_name: host.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - host.geo.city_name: - dashed_name: host-geo-city-name - description: City name. - example: Montreal - flat_name: host.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - host.geo.continent_code: - dashed_name: host-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: host.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - host.geo.continent_name: - dashed_name: host-geo-continent-name - description: Name of the continent. - example: North America - flat_name: host.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - host.geo.country_iso_code: - dashed_name: host-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: host.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - host.geo.country_name: - dashed_name: host-geo-country-name - description: Country name. - example: Canada - flat_name: host.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - host.geo.location: - dashed_name: host-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: host.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - host.geo.name: - dashed_name: host-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: host.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - host.geo.postal_code: - dashed_name: host-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: host.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - host.geo.region_iso_code: - dashed_name: host-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: host.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - host.geo.region_name: - dashed_name: host-geo-region-name - description: Region name. - example: Quebec - flat_name: host.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - host.geo.timezone: - dashed_name: host-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: host.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - host.hostname: - dashed_name: host-hostname - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - flat_name: host.hostname - ignore_above: 1024 - level: core - name: hostname - normalize: [] - short: Hostname of the host. - type: keyword - host.id: - dashed_name: host-id - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - flat_name: host.id - ignore_above: 1024 - level: core - name: id - normalize: [] - otel: - - relation: match - stability: development - short: Unique host id. - type: keyword - host.ip: - dashed_name: host-ip - description: Host ip addresses. - flat_name: host.ip - level: core - name: ip - normalize: - - array - otel: - - relation: match - stability: development - short: Host ip addresses. - synthetic_source_keep: none - type: ip - host.mac: - dashed_name: host-mac - description: 'Host MAC addresses. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - flat_name: host.mac - ignore_above: 1024 - level: core - name: mac - normalize: - - array - otel: - - relation: match - stability: development - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: Host MAC addresses. - synthetic_source_keep: none - type: keyword - host.name: - dashed_name: host-name - description: 'Name of the host. - - It can contain what hostname returns on Unix systems, the fully qualified - domain name (FQDN), or a name specified by the user. The recommended value - is the lowercase FQDN of the host.' - flat_name: host.name - ignore_above: 1024 - level: core - name: name - normalize: [] - otel: - - relation: match - stability: development - short: Name of the host. - type: keyword - host.network.egress.bytes: - dashed_name: host-network-egress-bytes - description: The number of bytes (gauge) sent out on all network interfaces - by the host since the last metric collection. - flat_name: host.network.egress.bytes - level: extended - name: network.egress.bytes - normalize: [] - otel: - - metric: system.network.io - relation: metric - stability: development - short: The number of bytes sent on all network interfaces. - type: long - host.network.egress.packets: - dashed_name: host-network-egress-packets - description: The number of packets (gauge) sent out on all network interfaces - by the host since the last metric collection. - flat_name: host.network.egress.packets - level: extended - name: network.egress.packets - normalize: [] - otel: - - metric: system.network.packet.count - relation: metric - stability: development - short: The number of packets sent on all network interfaces. - type: long - host.network.ingress.bytes: - dashed_name: host-network-ingress-bytes - description: The number of bytes received (gauge) on all network interfaces - by the host since the last metric collection. - flat_name: host.network.ingress.bytes - level: extended - name: network.ingress.bytes - normalize: [] - otel: - - metric: system.network.io - relation: metric - stability: development - short: The number of bytes received on all network interfaces. - type: long - host.network.ingress.packets: - dashed_name: host-network-ingress-packets - description: The number of packets (gauge) received on all network interfaces - by the host since the last metric collection. - flat_name: host.network.ingress.packets - level: extended - name: network.ingress.packets - normalize: [] - otel: - - metric: system.network.packet.count - relation: metric - stability: development - short: The number of packets received on all network interfaces. - type: long - host.os.family: - dashed_name: host-os-family - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - flat_name: host.os.family - ignore_above: 1024 - level: extended - name: family - normalize: [] - original_fieldset: os - short: OS family (such as redhat, debian, freebsd, windows). - type: keyword - host.os.full: - dashed_name: host-os-full - description: Operating system name, including the version or code name. - example: Mac OS Mojave - flat_name: host.os.full - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.os.full.text - name: text - type: match_only_text - name: full - normalize: [] - original_fieldset: os - short: Operating system name, including the version or code name. - type: keyword - host.os.kernel: - dashed_name: host-os-kernel - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - flat_name: host.os.kernel - ignore_above: 1024 - level: extended - name: kernel - normalize: [] - original_fieldset: os - short: Operating system kernel version as a raw string. - type: keyword - host.os.name: - dashed_name: host-os-name - description: Operating system name, without the version. - example: Mac OS X - flat_name: host.os.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.os.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: os - short: Operating system name, without the version. - type: keyword - host.os.platform: - dashed_name: host-os-platform - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - flat_name: host.os.platform - ignore_above: 1024 - level: extended - name: platform - normalize: [] - original_fieldset: os - short: Operating system platform (such centos, ubuntu, windows). - type: keyword - host.os.type: - dashed_name: host-os-type - description: 'Use the `os.type` field to categorize the operating system into - one of the broad commercial families. - - If the OS you''re dealing with is not listed as an expected value, the field - should not be populated. Please let us know by opening an issue with ECS, - to propose its addition.' - example: macos - expected_values: - - linux - - macos - - unix - - windows - - ios - - android - flat_name: host.os.type - ignore_above: 1024 - level: extended - name: type - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios - or android).' - type: keyword - host.os.version: - dashed_name: host-os-version - description: Operating system version as a raw string. - example: 10.14.1 - flat_name: host.os.version - ignore_above: 1024 - level: extended - name: version - normalize: [] - original_fieldset: os - short: Operating system version as a raw string. - type: keyword - host.pid_ns_ino: - dashed_name: host-pid-ns-ino - description: This is the inode number of the namespace in the namespace file - system (nsfs). Unsigned int inum in include/linux/ns_common.h. - example: 256383 - flat_name: host.pid_ns_ino - ignore_above: 1024 - level: extended - name: pid_ns_ino - normalize: [] - short: Pid namespace inode - type: keyword - host.risk.calculated_level: - dashed_name: host-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: host.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - host.risk.calculated_score: - dashed_name: host-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: host.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - host.risk.calculated_score_norm: - dashed_name: host-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: host.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - host.risk.static_level: - dashed_name: host-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: host.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - host.risk.static_score: - dashed_name: host-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: host.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - host.risk.static_score_norm: - dashed_name: host-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: host.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - host.target.architecture: - dashed_name: host-target-architecture - description: Operating system architecture. - example: x86_64 - flat_name: host.target.architecture - ignore_above: 1024 - level: core - name: architecture - normalize: [] - original_fieldset: host - short: Operating system architecture. - type: keyword - host.target.boot.id: - dashed_name: host-target-boot-id - description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note - the boot_id value from /proc may or may not be the same in containers as on - the host. Some container runtimes will bind mount a new boot_id value onto - the proc file in each container. - example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 - flat_name: host.target.boot.id - ignore_above: 1024 - level: extended - name: boot.id - normalize: [] - original_fieldset: host - short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id - type: keyword - host.target.cpu.usage: - dashed_name: host-target-cpu-usage - description: 'Percent CPU used which is normalized by the number of CPU cores - and it ranges from 0 to 1. - - Scaling factor: 1000. - - For example: For a two core host, this value should be the average of the - two cores, between 0 and 1.' - flat_name: host.target.cpu.usage - level: extended - name: cpu.usage - normalize: [] - original_fieldset: host - scaling_factor: 1000 - short: Percent CPU used, between 0 and 1. - type: scaled_float - host.target.disk.read.bytes: - dashed_name: host-target-disk-read-bytes - description: The total number of bytes (gauge) read successfully (aggregated - from all disks) since the last metric collection. - flat_name: host.target.disk.read.bytes - level: extended - name: disk.read.bytes - normalize: [] - original_fieldset: host + - metric: system.disk.io + relation: metric + stability: development short: The number of bytes read by all disks. type: long - host.target.disk.write.bytes: - dashed_name: host-target-disk-write-bytes + host.disk.write.bytes: + dashed_name: host-disk-write-bytes description: The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. - flat_name: host.target.disk.write.bytes + flat_name: host.disk.write.bytes level: extended name: disk.write.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.disk.io + relation: metric + stability: development short: The number of bytes written on all disks. type: long - host.target.domain: - dashed_name: host-target-domain + host.domain: + dashed_name: host-domain description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO - flat_name: host.target.domain + flat_name: host.domain ignore_above: 1024 level: extended name: domain normalize: [] - original_fieldset: host short: Name of the directory the group is a member of. type: keyword - host.target.entity.attributes: + host.entity.attributes: beta: This field is beta and subject to change. - dashed_name: host-target-entity-attributes + dashed_name: host-entity-attributes description: A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.attributes + flat_name: host.entity.attributes level: extended name: attributes normalize: [] original_fieldset: entity short: A set of static or semi-static attributes of the entity. type: object - host.target.entity.behavior: + host.entity.behavior: beta: This field is beta and subject to change. - dashed_name: host-target-entity-behavior + dashed_name: host-entity-behavior description: A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.behavior + flat_name: host.entity.behavior level: extended name: behavior normalize: [] @@ -10230,17 +9641,17 @@ host: short: A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. type: object - host.target.entity.display_name: + host.entity.display_name: beta: This field is beta and subject to change. - dashed_name: host-target-entity-display-name + dashed_name: host-entity-display-name description: An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`). - flat_name: host.target.entity.display_name + flat_name: host.entity.display_name ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.entity.display_name.text + - flat_name: host.entity.display_name.text name: text type: match_only_text name: display_name @@ -10249,8 +9660,8 @@ host: short: An optional field used when a pretty name is desired for entity-centric operations. type: keyword - host.target.entity.id: - dashed_name: host-target-entity-id + host.entity.id: + dashed_name: host-entity-id description: 'A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity''s lifecycle, 2) ensures uniqueness within its @@ -10259,7 +9670,7 @@ host: field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: host.target.entity.id + flat_name: host.entity.id ignore_above: 1024 level: core name: id @@ -10267,56 +9678,56 @@ host: original_fieldset: entity short: Unique identifier for the entity. type: keyword - host.target.entity.last_seen_timestamp: + host.entity.last_seen_timestamp: beta: This field is beta and subject to change. - dashed_name: host-target-entity-last-seen-timestamp + dashed_name: host-entity-last-seen-timestamp description: Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity. - flat_name: host.target.entity.last_seen_timestamp + flat_name: host.entity.last_seen_timestamp level: extended name: last_seen_timestamp normalize: [] original_fieldset: entity short: Indicates the date/time when this entity was last "seen." type: date - host.target.entity.lifecycle: + host.entity.lifecycle: beta: This field is beta and subject to change. - dashed_name: host-target-entity-lifecycle + dashed_name: host-entity-lifecycle description: A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.lifecycle + flat_name: host.entity.lifecycle level: extended name: lifecycle normalize: [] original_fieldset: entity short: A set of temporal characteristics of the entity. type: object - host.target.entity.metrics: + host.entity.metrics: beta: This field is beta and subject to change. - dashed_name: host-target-entity-metrics + dashed_name: host-entity-metrics description: Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping. - flat_name: host.target.entity.metrics + flat_name: host.entity.metrics level: extended name: metrics normalize: [] original_fieldset: entity short: Field set for any fields containing numeric entity metrics. type: object - host.target.entity.name: + host.entity.name: beta: This field is beta and subject to change. - dashed_name: host-target-entity-name + dashed_name: host-entity-name description: The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. - flat_name: host.target.entity.name + flat_name: host.entity.name ignore_above: 1024 level: core multi_fields: - - flat_name: host.target.entity.name.text + - flat_name: host.entity.name.text name: text type: match_only_text name: name @@ -10324,27 +9735,27 @@ host: original_fieldset: entity short: The name of the entity. type: keyword - host.target.entity.raw: + host.entity.raw: beta: This field is beta and subject to change. - dashed_name: host-target-entity-raw + dashed_name: host-entity-raw description: Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. - flat_name: host.target.entity.raw + flat_name: host.entity.raw level: extended name: raw normalize: [] original_fieldset: entity short: Original, unmodified fields from the source system. type: object - host.target.entity.reference: + host.entity.reference: beta: This field is beta and subject to change. - dashed_name: host-target-entity-reference + dashed_name: host-entity-reference description: A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. - flat_name: host.target.entity.reference + flat_name: host.entity.reference ignore_above: 1024 level: extended name: reference @@ -10352,12 +9763,26 @@ host: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword - host.target.entity.source: + host.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: host-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: host.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object + host.entity.source: beta: This field is beta and subject to change. - dashed_name: host-target-entity-source + dashed_name: host-entity-source description: The module or integration that provided this entity data (similar to event.module). - flat_name: host.target.entity.source + flat_name: host.entity.source ignore_above: 1024 level: core name: source @@ -10365,16 +9790,16 @@ host: original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword - host.target.entity.sub_type: + host.entity.sub_type: beta: This field is beta and subject to change. - dashed_name: host-target-entity-sub-type + dashed_name: host-entity-sub-type description: 'The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.' example: aws_s3_bucket - flat_name: host.target.entity.sub_type + flat_name: host.entity.sub_type ignore_above: 1024 level: extended name: sub_type @@ -10383,7 +9808,7 @@ host: short: The specific type designation for the entity as defined by its provider or system. type: keyword - host.target.entity.type: + host.entity.type: allowed_values: - description: Represents a storage container or bucket, typically used for object storage. Common examples include AWS S3 buckets, Google Cloud Storage @@ -10446,7 +9871,7 @@ host: and networking of containers or workloads. name: orchestrator beta: This field is beta and subject to change. - dashed_name: host-target-entity-type + dashed_name: host-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, @@ -10455,7 +9880,7 @@ host: its type array should include the matching value — for example, `host` or `cloud`.' example: host - flat_name: host.target.entity.type + flat_name: host.entity.type ignore_above: 1024 level: core name: type @@ -10464,11 +9889,11 @@ host: original_fieldset: entity short: Standardized high-level classification of the entity. type: keyword - host.target.geo.city_name: - dashed_name: host-target-geo-city-name + host.geo.city_name: + dashed_name: host-geo-city-name description: City name. example: Montreal - flat_name: host.target.geo.city_name + flat_name: host.geo.city_name ignore_above: 1024 level: core name: city_name @@ -10476,11 +9901,11 @@ host: original_fieldset: geo short: City name. type: keyword - host.target.geo.continent_code: - dashed_name: host-target-geo-continent-code + host.geo.continent_code: + dashed_name: host-geo-continent-code description: Two-letter code representing continent's name. example: NA - flat_name: host.target.geo.continent_code + flat_name: host.geo.continent_code ignore_above: 1024 level: core name: continent_code @@ -10488,11 +9913,11 @@ host: original_fieldset: geo short: Continent code. type: keyword - host.target.geo.continent_name: - dashed_name: host-target-geo-continent-name + host.geo.continent_name: + dashed_name: host-geo-continent-name description: Name of the continent. example: North America - flat_name: host.target.geo.continent_name + flat_name: host.geo.continent_name ignore_above: 1024 level: core name: continent_name @@ -10500,11 +9925,11 @@ host: original_fieldset: geo short: Name of the continent. type: keyword - host.target.geo.country_iso_code: - dashed_name: host-target-geo-country-iso-code + host.geo.country_iso_code: + dashed_name: host-geo-country-iso-code description: Country ISO code. example: CA - flat_name: host.target.geo.country_iso_code + flat_name: host.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code @@ -10512,11 +9937,11 @@ host: original_fieldset: geo short: Country ISO code. type: keyword - host.target.geo.country_name: - dashed_name: host-target-geo-country-name + host.geo.country_name: + dashed_name: host-geo-country-name description: Country name. example: Canada - flat_name: host.target.geo.country_name + flat_name: host.geo.country_name ignore_above: 1024 level: core name: country_name @@ -10524,19 +9949,19 @@ host: original_fieldset: geo short: Country name. type: keyword - host.target.geo.location: - dashed_name: host-target-geo-location + host.geo.location: + dashed_name: host-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: host.target.geo.location + flat_name: host.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point - host.target.geo.name: - dashed_name: host-target-geo-name + host.geo.name: + dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -10545,7 +9970,7 @@ host: Not typically used in automated geolocation.' example: boston-dc - flat_name: host.target.geo.name + flat_name: host.geo.name ignore_above: 1024 level: extended name: name @@ -10553,14 +9978,14 @@ host: original_fieldset: geo short: User-defined description of a location. type: keyword - host.target.geo.postal_code: - dashed_name: host-target-geo-postal-code + host.geo.postal_code: + dashed_name: host-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 - flat_name: host.target.geo.postal_code + flat_name: host.geo.postal_code ignore_above: 1024 level: core name: postal_code @@ -10568,11 +9993,11 @@ host: original_fieldset: geo short: Postal code. type: keyword - host.target.geo.region_iso_code: - dashed_name: host-target-geo-region-iso-code + host.geo.region_iso_code: + dashed_name: host-geo-region-iso-code description: Region ISO code. example: CA-QC - flat_name: host.target.geo.region_iso_code + flat_name: host.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code @@ -10580,11 +10005,11 @@ host: original_fieldset: geo short: Region ISO code. type: keyword - host.target.geo.region_name: - dashed_name: host-target-geo-region-name + host.geo.region_name: + dashed_name: host-geo-region-name description: Region name. example: Quebec - flat_name: host.target.geo.region_name + flat_name: host.geo.region_name ignore_above: 1024 level: core name: region_name @@ -10592,11 +10017,11 @@ host: original_fieldset: geo short: Region name. type: keyword - host.target.geo.timezone: - dashed_name: host-target-geo-timezone + host.geo.timezone: + dashed_name: host-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires - flat_name: host.target.geo.timezone + flat_name: host.geo.timezone ignore_above: 1024 level: core name: timezone @@ -10604,48 +10029,51 @@ host: original_fieldset: geo short: Time zone. type: keyword - host.target.hostname: - dashed_name: host-target-hostname + host.hostname: + dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - flat_name: host.target.hostname + flat_name: host.hostname ignore_above: 1024 level: core name: hostname normalize: [] - original_fieldset: host short: Hostname of the host. type: keyword - host.target.id: - dashed_name: host-target-id + host.id: + dashed_name: host-id description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - flat_name: host.target.id + flat_name: host.id ignore_above: 1024 level: core name: id normalize: [] - original_fieldset: host + otel: + - relation: match + stability: development short: Unique host id. type: keyword - host.target.ip: - dashed_name: host-target-ip + host.ip: + dashed_name: host-ip description: Host ip addresses. - flat_name: host.target.ip + flat_name: host.ip level: core name: ip normalize: - array - original_fieldset: host + otel: + - relation: match + stability: development short: Host ip addresses. synthetic_source_keep: none type: ip - host.target.mac: - dashed_name: host-target-mac + host.mac: + dashed_name: host-mac description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit @@ -10653,81 +10081,97 @@ host: of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - flat_name: host.target.mac + flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array - original_fieldset: host + otel: + - relation: match + stability: development pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. synthetic_source_keep: none type: keyword - host.target.name: - dashed_name: host-target-name + host.name: + dashed_name: host-name description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - flat_name: host.target.name + flat_name: host.name ignore_above: 1024 level: core name: name normalize: [] - original_fieldset: host + otel: + - relation: match + stability: development short: Name of the host. type: keyword - host.target.network.egress.bytes: - dashed_name: host-target-network-egress-bytes + host.network.egress.bytes: + dashed_name: host-network-egress-bytes description: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.egress.bytes + flat_name: host.network.egress.bytes level: extended name: network.egress.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.network.io + relation: metric + stability: development short: The number of bytes sent on all network interfaces. type: long - host.target.network.egress.packets: - dashed_name: host-target-network-egress-packets + host.network.egress.packets: + dashed_name: host-network-egress-packets description: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.egress.packets + flat_name: host.network.egress.packets level: extended name: network.egress.packets normalize: [] - original_fieldset: host + otel: + - metric: system.network.packet.count + relation: metric + stability: development short: The number of packets sent on all network interfaces. type: long - host.target.network.ingress.bytes: - dashed_name: host-target-network-ingress-bytes + host.network.ingress.bytes: + dashed_name: host-network-ingress-bytes description: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.ingress.bytes + flat_name: host.network.ingress.bytes level: extended name: network.ingress.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.network.io + relation: metric + stability: development short: The number of bytes received on all network interfaces. type: long - host.target.network.ingress.packets: - dashed_name: host-target-network-ingress-packets + host.network.ingress.packets: + dashed_name: host-network-ingress-packets description: The number of packets (gauge) received on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.ingress.packets + flat_name: host.network.ingress.packets level: extended name: network.ingress.packets normalize: [] - original_fieldset: host + otel: + - metric: system.network.packet.count + relation: metric + stability: development short: The number of packets received on all network interfaces. type: long - host.target.os.family: - dashed_name: host-target-os-family + host.os.family: + dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). example: debian - flat_name: host.target.os.family + flat_name: host.os.family ignore_above: 1024 level: extended name: family @@ -10735,15 +10179,15 @@ host: original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). type: keyword - host.target.os.full: - dashed_name: host-target-os-full + host.os.full: + dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave - flat_name: host.target.os.full + flat_name: host.os.full ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.os.full.text + - flat_name: host.os.full.text name: text type: match_only_text name: full @@ -10751,11 +10195,11 @@ host: original_fieldset: os short: Operating system name, including the version or code name. type: keyword - host.target.os.kernel: - dashed_name: host-target-os-kernel + host.os.kernel: + dashed_name: host-os-kernel description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - flat_name: host.target.os.kernel + flat_name: host.os.kernel ignore_above: 1024 level: extended name: kernel @@ -10763,15 +10207,15 @@ host: original_fieldset: os short: Operating system kernel version as a raw string. type: keyword - host.target.os.name: - dashed_name: host-target-os-name + host.os.name: + dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X - flat_name: host.target.os.name + flat_name: host.os.name ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.os.name.text + - flat_name: host.os.name.text name: text type: match_only_text name: name @@ -10779,11 +10223,11 @@ host: original_fieldset: os short: Operating system name, without the version. type: keyword - host.target.os.platform: - dashed_name: host-target-os-platform + host.os.platform: + dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). example: darwin - flat_name: host.target.os.platform + flat_name: host.os.platform ignore_above: 1024 level: extended name: platform @@ -10791,8 +10235,8 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword - host.target.os.type: - dashed_name: host-target-os-type + host.os.type: + dashed_name: host-os-type description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. @@ -10807,7 +10251,7 @@ host: - windows - ios - android - flat_name: host.target.os.type + flat_name: host.os.type ignore_above: 1024 level: extended name: type @@ -10816,11 +10260,11 @@ host: short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).' type: keyword - host.target.os.version: - dashed_name: host-target-os-version + host.os.version: + dashed_name: host-os-version description: Operating system version as a raw string. example: 10.14.1 - flat_name: host.target.os.version + flat_name: host.os.version ignore_above: 1024 level: extended name: version @@ -10828,25 +10272,24 @@ host: original_fieldset: os short: Operating system version as a raw string. type: keyword - host.target.pid_ns_ino: - dashed_name: host-target-pid-ns-ino + host.pid_ns_ino: + dashed_name: host-pid-ns-ino description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. example: 256383 - flat_name: host.target.pid_ns_ino + flat_name: host.pid_ns_ino ignore_above: 1024 level: extended name: pid_ns_ino normalize: [] - original_fieldset: host short: Pid namespace inode type: keyword - host.target.risk.calculated_level: - dashed_name: host-target-risk-calculated-level + host.risk.calculated_level: + dashed_name: host-risk-calculated-level description: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. example: High - flat_name: host.target.risk.calculated_level + flat_name: host.risk.calculated_level ignore_above: 1024 level: extended name: calculated_level @@ -10855,12 +10298,12 @@ host: short: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword - host.target.risk.calculated_score: - dashed_name: host-target-risk-calculated-score + host.risk.calculated_score: + dashed_name: host-risk-calculated-score description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. example: 880.73 - flat_name: host.target.risk.calculated_score + flat_name: host.risk.calculated_score level: extended name: calculated_score normalize: [] @@ -10868,25 +10311,25 @@ host: short: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float - host.target.risk.calculated_score_norm: - dashed_name: host-target-risk-calculated-score-norm + host.risk.calculated_score_norm: + dashed_name: host-risk-calculated-score-norm description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. example: 88.73 - flat_name: host.target.risk.calculated_score_norm + flat_name: host.risk.calculated_score_norm level: extended name: calculated_score_norm normalize: [] original_fieldset: risk short: A normalized risk score calculated by an internal system. type: float - host.target.risk.static_level: - dashed_name: host-target-risk-static-level + host.risk.static_level: + dashed_name: host-risk-static-level description: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. example: High - flat_name: host.target.risk.static_level + flat_name: host.risk.static_level ignore_above: 1024 level: extended name: static_level @@ -10895,12 +10338,12 @@ host: short: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword - host.target.risk.static_score: - dashed_name: host-target-risk-static-score + host.risk.static_score: + dashed_name: host-risk-static-score description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. example: 830.0 - flat_name: host.target.risk.static_score + flat_name: host.risk.static_score level: extended name: static_score normalize: [] @@ -10908,45 +10351,19 @@ host: short: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float - host.target.risk.static_score_norm: - dashed_name: host-target-risk-static-score-norm + host.risk.static_score_norm: + dashed_name: host-risk-static-score-norm description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. example: 83.0 - flat_name: host.target.risk.static_score_norm + flat_name: host.risk.static_score_norm level: extended name: static_score_norm normalize: [] original_fieldset: risk short: A normalized risk score calculated by an external system. type: float - host.target.type: - dashed_name: host-target-type - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, - this could be the container, for example, or other information meaningful - in your environment.' - flat_name: host.target.type - ignore_above: 1024 - level: core - name: type - normalize: [] - original_fieldset: host - short: Type of host. - type: keyword - host.target.uptime: - dashed_name: host-target-uptime - description: Seconds the host has been up. - example: 1325 - flat_name: host.target.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: host - short: Seconds the host has been up. - type: long host.type: dashed_name: host-type description: 'Type of host. @@ -10985,15 +10402,7 @@ host: - host.geo - host.os - host.risk - - host.target prefix: host. - reusable: - expected: - - as: target - at: host - full: host.target - short_override: Targeted host of action taken. - top_level: true reused_here: - full: host.entity schema_name: entity @@ -11007,9 +10416,6 @@ host: - full: host.risk schema_name: risk short: Fields for describing risk score and level. - - full: host.target - schema_name: host - short: Targeted host of action taken. short: Fields describing the relevant computing instance. title: Host type: group @@ -12797,6 +12203,20 @@ orchestrator: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + orchestrator.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: orchestrator-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: orchestrator.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object orchestrator.entity.source: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-source @@ -19322,6 +18742,9 @@ risk: - as: risk at: user full: user.risk + - as: risk + at: entity + full: entity.risk top_level: false short: Fields for describing risk score and level. title: Risk information @@ -20145,6 +19568,20 @@ service: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + service.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: service.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.entity.source: beta: This field is beta and subject to change. dashed_name: service-entity-source @@ -20573,6 +20010,20 @@ service: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + service.origin.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-origin-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: service.origin.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.origin.entity.source: beta: This field is beta and subject to change. dashed_name: service-origin-entity-source @@ -21050,6 +20501,20 @@ service: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + service.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-target-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: service.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.target.entity.source: beta: This field is beta and subject to change. dashed_name: service-target-entity-source @@ -29252,6 +28717,20 @@ user: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + user.changes.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-changes-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: user.changes.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.changes.entity.source: beta: This field is beta and subject to change. dashed_name: user-changes-entity-source @@ -29741,6 +29220,20 @@ user: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + user.effective.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-effective-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: user.effective.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.effective.entity.source: beta: This field is beta and subject to change. dashed_name: user-effective-entity-source @@ -30207,6 +29700,20 @@ user: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + user.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: user.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.entity.source: beta: This field is beta and subject to change. dashed_name: user-entity-source @@ -30694,6 +30201,20 @@ user: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + user.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-target-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: user.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.target.entity.source: beta: This field is beta and subject to change. dashed_name: user-target-entity-source diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json index f2ae9c8ce8..f94473d44e 100644 --- a/experimental/generated/elasticsearch/composable/component/cloud.json +++ b/experimental/generated/elasticsearch/composable/component/cloud.json @@ -70,6 +70,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -168,6 +171,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -324,6 +330,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/entity.json b/experimental/generated/elasticsearch/composable/component/entity.json index 0d77c8e5d1..9a9bbc5319 100644 --- a/experimental/generated/elasticsearch/composable/component/entity.json +++ b/experimental/generated/elasticsearch/composable/component/entity.json @@ -52,6 +52,33 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -106,6 +133,33 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json index 39acc1c548..4c9f04cd17 100644 --- a/experimental/generated/elasticsearch/composable/component/host.json +++ b/experimental/generated/elasticsearch/composable/component/host.json @@ -96,6 +96,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -271,280 +274,6 @@ } } }, - "target": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity": { - "properties": { - "attributes": { - "type": "object" - }, - "behavior": { - "type": "object" - }, - "display_name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_seen_timestamp": { - "type": "date" - }, - "lifecycle": { - "type": "object" - }, - "metrics": { - "type": "object" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "raw": { - "type": "object" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "synthetic_source_keep": "none", - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, "type": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json index 490e0a11b1..447e5f2f32 100644 --- a/experimental/generated/elasticsearch/composable/component/orchestrator.json +++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json @@ -78,6 +78,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json index 29b24518a5..deed804d22 100644 --- a/experimental/generated/elasticsearch/composable/component/service.json +++ b/experimental/generated/elasticsearch/composable/component/service.json @@ -58,6 +58,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -157,6 +160,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -274,6 +280,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json index f62c5d37cc..f758302e24 100644 --- a/experimental/generated/elasticsearch/composable/component/user.json +++ b/experimental/generated/elasticsearch/composable/component/user.json @@ -64,6 +64,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -211,6 +214,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -348,6 +354,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -489,6 +498,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 41aeb6a8b2..2b7c6b9fc1 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -336,6 +336,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -434,6 +437,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -590,6 +596,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -1472,6 +1481,33 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -1526,6 +1562,33 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -2534,6 +2597,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -2709,280 +2775,6 @@ } } }, - "target": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity": { - "properties": { - "attributes": { - "type": "object" - }, - "behavior": { - "type": "object" - }, - "display_name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_seen_timestamp": { - "type": "date" - }, - "lifecycle": { - "type": "object" - }, - "metrics": { - "type": "object" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "raw": { - "type": "object" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "synthetic_source_keep": "none", - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, "type": { "ignore_above": 1024, "type": "keyword" @@ -3514,6 +3306,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -5883,6 +5678,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -5982,6 +5780,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -6099,6 +5900,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -8750,6 +8554,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -8897,6 +8704,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -9034,6 +8844,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -9175,6 +8988,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 29eed273a0..2e089cf044 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -550,6 +550,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: entity.source level: core type: keyword @@ -715,6 +723,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: origin.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: origin.entity.source level: core type: keyword @@ -969,6 +985,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: target.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: target.entity.source level: core type: keyword @@ -2487,6 +2511,60 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false + - name: risk.calculated_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + default_field: false + - name: risk.calculated_score + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + default_field: false + - name: risk.calculated_score_norm + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + default_field: false + - name: risk.static_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + default_field: false + - name: risk.static_score + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + default_field: false + - name: risk.static_score_norm + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + default_field: false - name: source level: core type: keyword @@ -2595,6 +2673,60 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: target.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false + - name: target.risk.calculated_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + default_field: false + - name: target.risk.calculated_score + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + default_field: false + - name: target.risk.calculated_score_norm + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + default_field: false + - name: target.risk.static_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + default_field: false + - name: target.risk.static_score + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + default_field: false + - name: target.risk.static_score_norm + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + default_field: false - name: target.source level: core type: keyword @@ -4232,525 +4364,100 @@ level: extended type: keyword ignore_above: 1024 - description: The name of the model that generated the response. - example: gpt-4-0613 - default_field: false - - name: system - level: extended - type: keyword - ignore_above: 1024 - description: The Generative AI product as identified by the client or server - instrumentation. - example: openai - default_field: false - - name: token.type - level: extended - type: keyword - ignore_above: 1024 - description: The type of token being counted. - example: input; output - default_field: false - - name: tool.call.id - level: extended - type: keyword - ignore_above: 1024 - description: The tool call identifier. - example: call_mszuSIzqtI65i1wAUOE8w5H4 - default_field: false - - name: tool.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the tool utilized by the agent. - example: Flights - default_field: false - - name: tool.type - level: extended - type: keyword - ignore_above: 1024 - description: Type of the tool utilized by the agent - example: function; extension; datastore - default_field: false - - name: usage.input_tokens - level: extended - type: integer - description: The number of tokens used in the GenAI input (prompt). - example: 100 - default_field: false - - name: usage.output_tokens - level: extended - type: integer - description: The number of tokens used in the GenAI response (completion). - example: 180 - default_field: false - - name: group - title: Group - group: 2 - description: The group fields are meant to represent groups that are relevant - to the event. - type: group - default_field: true - fields: - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - - name: id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the - event happened, or from which the measurement was taken. Host types include - hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - default_field: true - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: boot.id - level: extended - type: keyword - ignore_above: 1024 - description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note - the boot_id value from /proc may or may not be the same in containers as on - the host. Some container runtimes will bind mount a new boot_id value onto - the proc file in each container. - example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 - default_field: false - - name: cpu.usage - level: extended - type: scaled_float - description: 'Percent CPU used which is normalized by the number of CPU cores - and it ranges from 0 to 1. - - Scaling factor: 1000. - - For example: For a two core host, this value should be the average of the - two cores, between 0 and 1.' - scaling_factor: 1000 - default_field: false - - name: disk.read.bytes - level: extended - type: long - description: The total number of bytes (gauge) read successfully (aggregated - from all disks) since the last metric collection. - default_field: false - - name: disk.write.bytes - level: extended - type: long - description: The total number of bytes (gauge) written successfully (aggregated - from all disks) since the last metric collection. - default_field: false - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain - or NetBIOS domain name. For Linux this could be the domain of the host''s - LDAP provider.' - example: CONTOSO - default_field: false - - name: entity.attributes - level: extended - type: object - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - default_field: false - - name: entity.behavior - level: extended - type: object - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - default_field: false - - name: entity.display_name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: match_only_text - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - default_field: false - - name: entity.id - level: core - type: keyword - ignore_above: 1024 - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - default_field: false - - name: entity.last_seen_timestamp - level: extended - type: date - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - default_field: false - - name: entity.lifecycle - level: extended - type: object - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - default_field: false - - name: entity.metrics - level: extended - type: object - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - default_field: false - - name: entity.name - level: core - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: match_only_text - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - default_field: false - - name: entity.raw - level: extended - type: object - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - default_field: false - - name: entity.reference - level: extended - type: keyword - ignore_above: 1024 - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - default_field: false - - name: entity.source - level: core - type: keyword - ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). - default_field: false - - name: entity.sub_type - level: extended - type: keyword - ignore_above: 1024 - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - default_field: false - - name: entity.type - level: core - type: keyword - ignore_above: 1024 - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, or similar, - its type array should include the matching value — for example, `host` or - `cloud`.' - example: host - default_field: false - - name: geo.city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: geo.continent_code - level: core - type: keyword - ignore_above: 1024 - description: Two-letter code representing continent's name. - example: NA - default_field: false - - name: geo.continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: geo.country_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: geo.country_name - level: core - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: geo.name - level: extended - type: keyword - ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - - name: geo.postal_code - level: core - type: keyword - ignore_above: 1024 - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - default_field: false - - name: geo.region_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: geo.region_name - level: core - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: geo.timezone - level: core - type: keyword - ignore_above: 1024 - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: 'Host MAC addresses. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what hostname returns on Unix systems, the fully qualified - domain name (FQDN), or a name specified by the user. The recommended value - is the lowercase FQDN of the host.' - - name: network.egress.bytes - level: extended - type: long - description: The number of bytes (gauge) sent out on all network interfaces - by the host since the last metric collection. - default_field: false - - name: network.egress.packets - level: extended - type: long - description: The number of packets (gauge) sent out on all network interfaces - by the host since the last metric collection. - default_field: false - - name: network.ingress.bytes - level: extended - type: long - description: The number of bytes received (gauge) on all network interfaces - by the host since the last metric collection. - default_field: false - - name: network.ingress.packets - level: extended - type: long - description: The number of packets (gauge) received on all network interfaces - by the host since the last metric collection. - default_field: false - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: match_only_text - default_field: false - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: match_only_text - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform + description: The name of the model that generated the response. + example: gpt-4-0613 + default_field: false + - name: system level: extended type: keyword ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.type + description: The Generative AI product as identified by the client or server + instrumentation. + example: openai + default_field: false + - name: token.type level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system into - one of the broad commercial families. - - If the OS you''re dealing with is not listed as an expected value, the field - should not be populated. Please let us know by opening an issue with ECS, - to propose its addition.' - example: macos + description: The type of token being counted. + example: input; output default_field: false - - name: os.version + - name: tool.call.id level: extended type: keyword ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: pid_ns_ino + description: The tool call identifier. + example: call_mszuSIzqtI65i1wAUOE8w5H4 + default_field: false + - name: tool.name level: extended type: keyword ignore_above: 1024 - description: This is the inode number of the namespace in the namespace file - system (nsfs). Unsigned int inum in include/linux/ns_common.h. - example: 256383 + description: Name of the tool utilized by the agent. + example: Flights default_field: false - - name: risk.calculated_level + - name: tool.type level: extended type: keyword ignore_above: 1024 - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High + description: Type of the tool utilized by the agent + example: function; extension; datastore default_field: false - - name: risk.calculated_score + - name: usage.input_tokens level: extended - type: float - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 + type: integer + description: The number of tokens used in the GenAI input (prompt). + example: 100 default_field: false - - name: risk.calculated_score_norm + - name: usage.output_tokens level: extended - type: float - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 + type: integer + description: The number of tokens used in the GenAI response (completion). + example: 180 default_field: false - - name: risk.static_level + - name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + default_field: true + fields: + - name: domain level: extended type: keyword ignore_above: 1024 - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - default_field: false - - name: risk.static_score + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id level: extended - type: float - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - default_field: false - - name: risk.static_score_norm + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name level: extended - type: float - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - default_field: false - - name: target.architecture + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + default_field: true + fields: + - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - default_field: false - - name: target.boot.id + - name: boot.id level: extended type: keyword ignore_above: 1024 @@ -4760,7 +4467,7 @@ the proc file in each container. example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 default_field: false - - name: target.cpu.usage + - name: cpu.usage level: extended type: scaled_float description: 'Percent CPU used which is normalized by the number of CPU cores @@ -4772,19 +4479,19 @@ two cores, between 0 and 1.' scaling_factor: 1000 default_field: false - - name: target.disk.read.bytes + - name: disk.read.bytes level: extended type: long description: The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. default_field: false - - name: target.disk.write.bytes + - name: disk.write.bytes level: extended type: long description: The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. default_field: false - - name: target.domain + - name: domain level: extended type: keyword ignore_above: 1024 @@ -4795,7 +4502,7 @@ LDAP provider.' example: CONTOSO default_field: false - - name: target.entity.attributes + - name: entity.attributes level: extended type: object description: A set of static or semi-static attributes of the entity. Usually @@ -4804,7 +4511,7 @@ and correlation of normalized values across different providers/sources and entity types. default_field: false - - name: target.entity.behavior + - name: entity.behavior level: extended type: object description: A set of ephemeral characteristics of the entity, derived from @@ -4813,7 +4520,7 @@ of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types. default_field: false - - name: target.entity.display_name + - name: entity.display_name level: extended type: keyword ignore_above: 1024 @@ -4824,7 +4531,7 @@ operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`). default_field: false - - name: target.entity.id + - name: entity.id level: core type: keyword ignore_above: 1024 @@ -4837,13 +4544,13 @@ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' default_field: false - - name: target.entity.last_seen_timestamp + - name: entity.last_seen_timestamp level: extended type: date description: Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity. default_field: false - - name: target.entity.lifecycle + - name: entity.lifecycle level: extended type: object description: A set of temporal characteristics of the entity. Usually date field @@ -4851,13 +4558,13 @@ of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. default_field: false - - name: target.entity.metrics + - name: entity.metrics level: extended type: object description: Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping. default_field: false - - name: target.entity.name + - name: entity.name level: core type: keyword ignore_above: 1024 @@ -4869,7 +4576,7 @@ For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. default_field: false - - name: target.entity.raw + - name: entity.raw level: extended type: object description: Original, unmodified fields from the source system. Usually flattened @@ -4877,7 +4584,7 @@ fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. default_field: false - - name: target.entity.reference + - name: entity.reference level: extended type: keyword ignore_above: 1024 @@ -4885,14 +4592,22 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false - - name: target.entity.source + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false + - name: entity.source level: core type: keyword ignore_above: 1024 description: The module or integration that provided this entity data (similar to event.module). default_field: false - - name: target.entity.sub_type + - name: entity.sub_type level: extended type: keyword ignore_above: 1024 @@ -4903,7 +4618,7 @@ , `node` , `cloud_instance` would all map to entity type `host`.' example: aws_s3_bucket default_field: false - - name: target.entity.type + - name: entity.type level: core type: keyword ignore_above: 1024 @@ -4916,48 +4631,43 @@ `cloud`.' example: host default_field: false - - name: target.geo.city_name + - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - default_field: false - - name: target.geo.continent_code + - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - - name: target.geo.continent_name + - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - default_field: false - - name: target.geo.country_iso_code + - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - default_field: false - - name: target.geo.country_name + - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - default_field: false - - name: target.geo.location + - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - default_field: false - - name: target.geo.name + - name: geo.name level: extended type: keyword ignore_above: 1024 @@ -4969,8 +4679,7 @@ Not typically used in automated geolocation.' example: boston-dc - default_field: false - - name: target.geo.postal_code + - name: geo.postal_code level: core type: keyword ignore_above: 1024 @@ -4980,36 +4689,33 @@ and will vary widely from country to country.' example: 94040 default_field: false - - name: target.geo.region_iso_code + - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - default_field: false - - name: target.geo.region_name + - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - default_field: false - - name: target.geo.timezone + - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - - name: target.hostname + - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - default_field: false - - name: target.id + - name: id level: core type: keyword ignore_above: 1024 @@ -5018,13 +4724,11 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - default_field: false - - name: target.ip + - name: ip level: core type: ip description: Host ip addresses. - default_field: false - - name: target.mac + - name: mac level: core type: keyword ignore_above: 1024 @@ -5036,8 +4740,7 @@ hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - default_field: false - - name: target.name + - name: name level: core type: keyword ignore_above: 1024 @@ -5046,73 +4749,69 @@ It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - default_field: false - - name: target.network.egress.bytes + - name: network.egress.bytes level: extended type: long description: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. default_field: false - - name: target.network.egress.packets + - name: network.egress.packets level: extended type: long description: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. default_field: false - - name: target.network.ingress.bytes + - name: network.ingress.bytes level: extended type: long description: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. default_field: false - - name: target.network.ingress.packets + - name: network.ingress.packets level: extended type: long description: The number of packets (gauge) received on all network interfaces by the host since the last metric collection. default_field: false - - name: target.os.family + - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - default_field: false - - name: target.os.full + - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text + default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - default_field: false - - name: target.os.kernel + - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - default_field: false - - name: target.os.name + - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text + default_field: false description: Operating system name, without the version. example: Mac OS X - default_field: false - - name: target.os.platform + - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - default_field: false - - name: target.os.type + - name: os.type level: extended type: keyword ignore_above: 1024 @@ -5124,14 +4823,13 @@ to propose its addition.' example: macos default_field: false - - name: target.os.version + - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - default_field: false - - name: target.pid_ns_ino + - name: pid_ns_ino level: extended type: keyword ignore_above: 1024 @@ -5139,7 +4837,7 @@ system (nsfs). Unsigned int inum in include/linux/ns_common.h. example: 256383 default_field: false - - name: target.risk.calculated_level + - name: risk.calculated_level level: extended type: keyword ignore_above: 1024 @@ -5147,14 +4845,14 @@ part of entity analytics and entity risk scoring. example: High default_field: false - - name: target.risk.calculated_score + - name: risk.calculated_score level: extended type: float description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. example: 880.73 default_field: false - - name: target.risk.calculated_score_norm + - name: risk.calculated_score_norm level: extended type: float description: A risk classification score calculated by an internal system as @@ -5162,7 +4860,7 @@ of 0 to 100. example: 88.73 default_field: false - - name: target.risk.static_level + - name: risk.static_level level: extended type: keyword ignore_above: 1024 @@ -5170,14 +4868,14 @@ as from some external Threat Intelligence Platform. example: High default_field: false - - name: target.risk.static_score + - name: risk.static_score level: extended type: float description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. example: 830.0 default_field: false - - name: target.risk.static_score_norm + - name: risk.static_score_norm level: extended type: float description: A risk classification score obtained from outside the system, such @@ -5185,22 +4883,6 @@ of 0 to 100. example: 83.0 default_field: false - - name: target.type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, - this could be the container, for example, or other information meaningful - in your environment.' - default_field: false - - name: target.uptime - level: extended - type: long - description: Seconds the host has been up. - example: 1325 - default_field: false - name: type level: core type: keyword @@ -6096,6 +5778,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: entity.source level: core type: keyword @@ -10047,6 +9737,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: entity.source level: core type: keyword @@ -10280,6 +9978,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: origin.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: origin.entity.source level: core type: keyword @@ -10550,6 +10256,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: target.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: target.entity.source level: core type: keyword @@ -15237,6 +14951,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: changes.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: changes.entity.source level: core type: keyword @@ -15489,6 +15211,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: effective.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: effective.entity.source level: core type: keyword @@ -15725,6 +15455,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: entity.source level: core type: keyword @@ -15965,6 +15703,14 @@ in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. default_field: false + - name: target.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false - name: target.entity.source level: core type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 7a9f02c2c8..1afd91b4e4 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -62,6 +62,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,cloud,cloud.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,cloud,cloud.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -83,6 +84,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,cloud,cloud.origin.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,cloud,cloud.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -114,6 +116,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,cloud,cloud.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,cloud,cloud.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,cloud,cloud.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -295,6 +298,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,entity,entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,entity,entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. +9.4.0-dev,true,entity,entity.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev,true,entity,entity.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev,true,entity,entity.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.4.0-dev,true,entity,entity.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev,true,entity,entity.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev,true,entity,entity.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. 9.4.0-dev,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity. @@ -309,6 +319,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,entity,entity.target.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,entity,entity.target.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,entity,entity.target.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,entity,entity.target.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. +9.4.0-dev,true,entity,entity.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev,true,entity,entity.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev,true,entity,entity.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.4.0-dev,true,entity,entity.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev,true,entity,entity.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev,true,entity,entity.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. 9.4.0-dev,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -545,6 +562,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,host,host.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,host,host.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,host,host.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -584,65 +602,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.4.0-dev,true,host,host.target.architecture,keyword,core,,x86_64,Operating system architecture. -9.4.0-dev,true,host,host.target.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id -9.4.0-dev,true,host,host.target.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -9.4.0-dev,true,host,host.target.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -9.4.0-dev,true,host,host.target.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -9.4.0-dev,true,host,host.target.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -9.4.0-dev,true,host,host.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. -9.4.0-dev,true,host,host.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." -9.4.0-dev,true,host,host.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. -9.4.0-dev,true,host,host.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. -9.4.0-dev,true,host,host.target.entity.id,keyword,core,,,Unique identifier for the entity. -9.4.0-dev,true,host,host.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" -9.4.0-dev,true,host,host.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. -9.4.0-dev,true,host,host.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. -9.4.0-dev,true,host,host.target.entity.name,keyword,core,,,The name of the entity. -9.4.0-dev,true,host,host.target.entity.name.text,match_only_text,core,,,The name of the entity. -9.4.0-dev,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." -9.4.0-dev,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." -9.4.0-dev,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. -9.4.0-dev,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. -9.4.0-dev,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. -9.4.0-dev,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name. -9.4.0-dev,true,host,host.target.geo.continent_code,keyword,core,,NA,Continent code. -9.4.0-dev,true,host,host.target.geo.continent_name,keyword,core,,North America,Name of the continent. -9.4.0-dev,true,host,host.target.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.4.0-dev,true,host,host.target.geo.country_name,keyword,core,,Canada,Country name. -9.4.0-dev,true,host,host.target.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.4.0-dev,true,host,host.target.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.4.0-dev,true,host,host.target.geo.postal_code,keyword,core,,94040,Postal code. -9.4.0-dev,true,host,host.target.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.4.0-dev,true,host,host.target.geo.region_name,keyword,core,,Quebec,Region name. -9.4.0-dev,true,host,host.target.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.4.0-dev,true,host,host.target.hostname,keyword,core,,,Hostname of the host. -9.4.0-dev,true,host,host.target.id,keyword,core,,,Unique host id. -9.4.0-dev,true,host,host.target.ip,ip,core,array,,Host ip addresses. -9.4.0-dev,true,host,host.target.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. -9.4.0-dev,true,host,host.target.name,keyword,core,,,Name of the host. -9.4.0-dev,true,host,host.target.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -9.4.0-dev,true,host,host.target.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. -9.4.0-dev,true,host,host.target.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -9.4.0-dev,true,host,host.target.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. -9.4.0-dev,true,host,host.target.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -9.4.0-dev,true,host,host.target.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.4.0-dev,true,host,host.target.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.4.0-dev,true,host,host.target.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -9.4.0-dev,true,host,host.target.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -9.4.0-dev,true,host,host.target.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -9.4.0-dev,true,host,host.target.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -9.4.0-dev,true,host,host.target.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -9.4.0-dev,true,host,host.target.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -9.4.0-dev,true,host,host.target.pid_ns_ino,keyword,extended,,256383,Pid namespace inode -9.4.0-dev,true,host,host.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -9.4.0-dev,true,host,host.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -9.4.0-dev,true,host,host.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -9.4.0-dev,true,host,host.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -9.4.0-dev,true,host,host.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -9.4.0-dev,true,host,host.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.4.0-dev,true,host,host.target.type,keyword,core,,,Type of host. -9.4.0-dev,true,host,host.target.uptime,long,extended,,1325,Seconds the host has been up. 9.4.0-dev,true,host,host.type,keyword,core,,,Type of host. 9.4.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 9.4.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. @@ -754,6 +713,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,orchestrator,orchestrator.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,orchestrator,orchestrator.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,orchestrator,orchestrator.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,orchestrator,orchestrator.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,orchestrator,orchestrator.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,orchestrator,orchestrator.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,orchestrator,orchestrator.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1285,6 +1245,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,service,service.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,service,service.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1308,6 +1269,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,service,service.origin.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,service,service.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1335,6 +1297,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,service,service.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,service,service.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,service,service.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1947,6 +1910,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,user,user.changes.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,user,user.changes.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -1981,6 +1945,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,user,user.effective.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,user,user.effective.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -2013,6 +1978,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,user,user.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,user,user.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -2046,6 +2012,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity. 9.4.0-dev,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,user,user.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. 9.4.0-dev,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. 9.4.0-dev,true,user,user.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,user,user.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e272441968..015039b5fd 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -778,6 +778,20 @@ cloud.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +cloud.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: cloud.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-entity-source @@ -1111,6 +1125,20 @@ cloud.origin.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +cloud.origin.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-origin-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: cloud.origin.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.origin.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-source @@ -1590,6 +1618,20 @@ cloud.target.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +cloud.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-target-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: cloud.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.target.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-source @@ -4006,6 +4048,99 @@ entity.reference: normalize: [] short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +entity.relationship: + beta: This field is beta and subject to change. + dashed_name: entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.relationship + level: extended + name: relationship + normalize: [] + short: A set of relationship attributes that can vary between entity types. + type: object +entity.risk.calculated_level: + dashed_name: entity-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: entity.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +entity.risk.calculated_score: + dashed_name: entity-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: entity.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +entity.risk.calculated_score_norm: + dashed_name: entity-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: entity.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +entity.risk.static_level: + dashed_name: entity-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: entity.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +entity.risk.static_score: + dashed_name: entity-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: entity.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +entity.risk.static_score_norm: + dashed_name: entity-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: entity.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float entity.source: beta: This field is beta and subject to change. dashed_name: entity-source @@ -4185,6 +4320,100 @@ entity.target.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +entity.target.relationship: + beta: This field is beta and subject to change. + dashed_name: entity-target-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.target.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object +entity.target.risk.calculated_level: + dashed_name: entity-target-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: entity.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +entity.target.risk.calculated_score: + dashed_name: entity-target-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: entity.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +entity.target.risk.calculated_score_norm: + dashed_name: entity-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: entity.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +entity.target.risk.static_level: + dashed_name: entity-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: entity.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +entity.target.risk.static_score: + dashed_name: entity-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: entity.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +entity.target.risk.static_score_norm: + dashed_name: entity-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: entity.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float entity.target.source: beta: This field is beta and subject to change. dashed_name: entity-target-source @@ -7726,857 +7955,43 @@ host.disk.write.bytes: stability: development short: The number of bytes written on all disks. type: long -host.domain: - dashed_name: host-domain - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS - domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - flat_name: host.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - short: Name of the directory the group is a member of. - type: keyword -host.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: host-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: host.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -host.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: host-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: host.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -host.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: host-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: host.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -host.entity.id: - dashed_name: host-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: host.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -host.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: host-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: host.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -host.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: host-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: host.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -host.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: host-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: host.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -host.entity.name: - beta: This field is beta and subject to change. - dashed_name: host-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: host.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: host.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -host.entity.raw: - beta: This field is beta and subject to change. - dashed_name: host-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: host.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -host.entity.reference: - beta: This field is beta and subject to change. - dashed_name: host-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: host.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -host.entity.source: - beta: This field is beta and subject to change. - dashed_name: host-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: host.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -host.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: host-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: host.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -host.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: host-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, or similar, its type - array should include the matching value — for example, `host` or `cloud`.' - example: host - flat_name: host.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -host.geo.city_name: - dashed_name: host-geo-city-name - description: City name. - example: Montreal - flat_name: host.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -host.geo.continent_code: - dashed_name: host-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: host.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -host.geo.continent_name: - dashed_name: host-geo-continent-name - description: Name of the continent. - example: North America - flat_name: host.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -host.geo.country_iso_code: - dashed_name: host-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: host.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -host.geo.country_name: - dashed_name: host-geo-country-name - description: Country name. - example: Canada - flat_name: host.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -host.geo.location: - dashed_name: host-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: host.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -host.geo.name: - dashed_name: host-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: host.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -host.geo.postal_code: - dashed_name: host-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: host.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -host.geo.region_iso_code: - dashed_name: host-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: host.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -host.geo.region_name: - dashed_name: host-geo-region-name - description: Region name. - example: Quebec - flat_name: host.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -host.geo.timezone: - dashed_name: host-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: host.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -host.hostname: - dashed_name: host-hostname - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - flat_name: host.hostname - ignore_above: 1024 - level: core - name: hostname - normalize: [] - short: Hostname of the host. - type: keyword -host.id: - dashed_name: host-id - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - flat_name: host.id - ignore_above: 1024 - level: core - name: id - normalize: [] - otel: - - relation: match - stability: development - short: Unique host id. - type: keyword -host.ip: - dashed_name: host-ip - description: Host ip addresses. - flat_name: host.ip - level: core - name: ip - normalize: - - array - otel: - - relation: match - stability: development - short: Host ip addresses. - synthetic_source_keep: none - type: ip -host.mac: - dashed_name: host-mac - description: 'Host MAC addresses. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - flat_name: host.mac - ignore_above: 1024 - level: core - name: mac - normalize: - - array - otel: - - relation: match - stability: development - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: Host MAC addresses. - synthetic_source_keep: none - type: keyword -host.name: - dashed_name: host-name - description: 'Name of the host. - - It can contain what hostname returns on Unix systems, the fully qualified domain - name (FQDN), or a name specified by the user. The recommended value is the lowercase - FQDN of the host.' - flat_name: host.name - ignore_above: 1024 - level: core - name: name - normalize: [] - otel: - - relation: match - stability: development - short: Name of the host. - type: keyword -host.network.egress.bytes: - dashed_name: host-network-egress-bytes - description: The number of bytes (gauge) sent out on all network interfaces by the - host since the last metric collection. - flat_name: host.network.egress.bytes - level: extended - name: network.egress.bytes - normalize: [] - otel: - - metric: system.network.io - relation: metric - stability: development - short: The number of bytes sent on all network interfaces. - type: long -host.network.egress.packets: - dashed_name: host-network-egress-packets - description: The number of packets (gauge) sent out on all network interfaces by - the host since the last metric collection. - flat_name: host.network.egress.packets - level: extended - name: network.egress.packets - normalize: [] - otel: - - metric: system.network.packet.count - relation: metric - stability: development - short: The number of packets sent on all network interfaces. - type: long -host.network.ingress.bytes: - dashed_name: host-network-ingress-bytes - description: The number of bytes received (gauge) on all network interfaces by the - host since the last metric collection. - flat_name: host.network.ingress.bytes - level: extended - name: network.ingress.bytes - normalize: [] - otel: - - metric: system.network.io - relation: metric - stability: development - short: The number of bytes received on all network interfaces. - type: long -host.network.ingress.packets: - dashed_name: host-network-ingress-packets - description: The number of packets (gauge) received on all network interfaces by - the host since the last metric collection. - flat_name: host.network.ingress.packets - level: extended - name: network.ingress.packets - normalize: [] - otel: - - metric: system.network.packet.count - relation: metric - stability: development - short: The number of packets received on all network interfaces. - type: long -host.os.family: - dashed_name: host-os-family - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - flat_name: host.os.family - ignore_above: 1024 - level: extended - name: family - normalize: [] - original_fieldset: os - short: OS family (such as redhat, debian, freebsd, windows). - type: keyword -host.os.full: - dashed_name: host-os-full - description: Operating system name, including the version or code name. - example: Mac OS Mojave - flat_name: host.os.full - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.os.full.text - name: text - type: match_only_text - name: full - normalize: [] - original_fieldset: os - short: Operating system name, including the version or code name. - type: keyword -host.os.kernel: - dashed_name: host-os-kernel - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - flat_name: host.os.kernel - ignore_above: 1024 - level: extended - name: kernel - normalize: [] - original_fieldset: os - short: Operating system kernel version as a raw string. - type: keyword -host.os.name: - dashed_name: host-os-name - description: Operating system name, without the version. - example: Mac OS X - flat_name: host.os.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.os.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: os - short: Operating system name, without the version. - type: keyword -host.os.platform: - dashed_name: host-os-platform - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - flat_name: host.os.platform - ignore_above: 1024 - level: extended - name: platform - normalize: [] - original_fieldset: os - short: Operating system platform (such centos, ubuntu, windows). - type: keyword -host.os.type: - dashed_name: host-os-type - description: 'Use the `os.type` field to categorize the operating system into one - of the broad commercial families. - - If the OS you''re dealing with is not listed as an expected value, the field should - not be populated. Please let us know by opening an issue with ECS, to propose - its addition.' - example: macos - expected_values: - - linux - - macos - - unix - - windows - - ios - - android - flat_name: host.os.type - ignore_above: 1024 - level: extended - name: type - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or - android).' - type: keyword -host.os.version: - dashed_name: host-os-version - description: Operating system version as a raw string. - example: 10.14.1 - flat_name: host.os.version - ignore_above: 1024 - level: extended - name: version - normalize: [] - original_fieldset: os - short: Operating system version as a raw string. - type: keyword -host.pid_ns_ino: - dashed_name: host-pid-ns-ino - description: This is the inode number of the namespace in the namespace file system - (nsfs). Unsigned int inum in include/linux/ns_common.h. - example: 256383 - flat_name: host.pid_ns_ino - ignore_above: 1024 - level: extended - name: pid_ns_ino - normalize: [] - short: Pid namespace inode - type: keyword -host.risk.calculated_level: - dashed_name: host-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: host.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -host.risk.calculated_score: - dashed_name: host-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: host.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -host.risk.calculated_score_norm: - dashed_name: host-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: host.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -host.risk.static_level: - dashed_name: host-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: host.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -host.risk.static_score: - dashed_name: host-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: host.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -host.risk.static_score_norm: - dashed_name: host-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: host.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -host.target.architecture: - dashed_name: host-target-architecture - description: Operating system architecture. - example: x86_64 - flat_name: host.target.architecture - ignore_above: 1024 - level: core - name: architecture - normalize: [] - original_fieldset: host - short: Operating system architecture. - type: keyword -host.target.boot.id: - dashed_name: host-target-boot-id - description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the - boot_id value from /proc may or may not be the same in containers as on the host. - Some container runtimes will bind mount a new boot_id value onto the proc file - in each container. - example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 - flat_name: host.target.boot.id - ignore_above: 1024 - level: extended - name: boot.id - normalize: [] - original_fieldset: host - short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id - type: keyword -host.target.cpu.usage: - dashed_name: host-target-cpu-usage - description: 'Percent CPU used which is normalized by the number of CPU cores and - it ranges from 0 to 1. - - Scaling factor: 1000. - - For example: For a two core host, this value should be the average of the two - cores, between 0 and 1.' - flat_name: host.target.cpu.usage - level: extended - name: cpu.usage - normalize: [] - original_fieldset: host - scaling_factor: 1000 - short: Percent CPU used, between 0 and 1. - type: scaled_float -host.target.disk.read.bytes: - dashed_name: host-target-disk-read-bytes - description: The total number of bytes (gauge) read successfully (aggregated from - all disks) since the last metric collection. - flat_name: host.target.disk.read.bytes - level: extended - name: disk.read.bytes - normalize: [] - original_fieldset: host - short: The number of bytes read by all disks. - type: long -host.target.disk.write.bytes: - dashed_name: host-target-disk-write-bytes - description: The total number of bytes (gauge) written successfully (aggregated - from all disks) since the last metric collection. - flat_name: host.target.disk.write.bytes - level: extended - name: disk.write.bytes - normalize: [] - original_fieldset: host - short: The number of bytes written on all disks. - type: long -host.target.domain: - dashed_name: host-target-domain +host.domain: + dashed_name: host-domain description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO - flat_name: host.target.domain + flat_name: host.domain ignore_above: 1024 level: extended name: domain normalize: [] - original_fieldset: host short: Name of the directory the group is a member of. type: keyword -host.target.entity.attributes: +host.entity.attributes: beta: This field is beta and subject to change. - dashed_name: host-target-entity-attributes + dashed_name: host-entity-attributes description: A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.attributes + flat_name: host.entity.attributes level: extended name: attributes normalize: [] original_fieldset: entity short: A set of static or semi-static attributes of the entity. type: object -host.target.entity.behavior: +host.entity.behavior: beta: This field is beta and subject to change. - dashed_name: host-target-entity-behavior + dashed_name: host-entity-behavior description: A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.behavior + flat_name: host.entity.behavior level: extended name: behavior normalize: [] @@ -8584,17 +7999,17 @@ host.target.entity.behavior: short: A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. type: object -host.target.entity.display_name: +host.entity.display_name: beta: This field is beta and subject to change. - dashed_name: host-target-entity-display-name + dashed_name: host-entity-display-name description: An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`). - flat_name: host.target.entity.display_name + flat_name: host.entity.display_name ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.entity.display_name.text + - flat_name: host.entity.display_name.text name: text type: match_only_text name: display_name @@ -8602,8 +8017,8 @@ host.target.entity.display_name: original_fieldset: entity short: An optional field used when a pretty name is desired for entity-centric operations. type: keyword -host.target.entity.id: - dashed_name: host-target-entity-id +host.entity.id: + dashed_name: host-entity-id description: 'A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is @@ -8611,7 +8026,7 @@ host.target.entity.id: observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: host.target.entity.id + flat_name: host.entity.id ignore_above: 1024 level: core name: id @@ -8619,56 +8034,56 @@ host.target.entity.id: original_fieldset: entity short: Unique identifier for the entity. type: keyword -host.target.entity.last_seen_timestamp: +host.entity.last_seen_timestamp: beta: This field is beta and subject to change. - dashed_name: host-target-entity-last-seen-timestamp + dashed_name: host-entity-last-seen-timestamp description: Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity. - flat_name: host.target.entity.last_seen_timestamp + flat_name: host.entity.last_seen_timestamp level: extended name: last_seen_timestamp normalize: [] original_fieldset: entity short: Indicates the date/time when this entity was last "seen." type: date -host.target.entity.lifecycle: +host.entity.lifecycle: beta: This field is beta and subject to change. - dashed_name: host-target-entity-lifecycle + dashed_name: host-entity-lifecycle description: A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.lifecycle + flat_name: host.entity.lifecycle level: extended name: lifecycle normalize: [] original_fieldset: entity short: A set of temporal characteristics of the entity. type: object -host.target.entity.metrics: +host.entity.metrics: beta: This field is beta and subject to change. - dashed_name: host-target-entity-metrics + dashed_name: host-entity-metrics description: Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping. - flat_name: host.target.entity.metrics + flat_name: host.entity.metrics level: extended name: metrics normalize: [] original_fieldset: entity short: Field set for any fields containing numeric entity metrics. type: object -host.target.entity.name: +host.entity.name: beta: This field is beta and subject to change. - dashed_name: host-target-entity-name + dashed_name: host-entity-name description: The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. - flat_name: host.target.entity.name + flat_name: host.entity.name ignore_above: 1024 level: core multi_fields: - - flat_name: host.target.entity.name.text + - flat_name: host.entity.name.text name: text type: match_only_text name: name @@ -8676,27 +8091,27 @@ host.target.entity.name: original_fieldset: entity short: The name of the entity. type: keyword -host.target.entity.raw: +host.entity.raw: beta: This field is beta and subject to change. - dashed_name: host-target-entity-raw + dashed_name: host-entity-raw description: Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. - flat_name: host.target.entity.raw + flat_name: host.entity.raw level: extended name: raw normalize: [] original_fieldset: entity short: Original, unmodified fields from the source system. type: object -host.target.entity.reference: +host.entity.reference: beta: This field is beta and subject to change. - dashed_name: host-target-entity-reference + dashed_name: host-entity-reference description: A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. - flat_name: host.target.entity.reference + flat_name: host.entity.reference ignore_above: 1024 level: extended name: reference @@ -8704,12 +8119,26 @@ host.target.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword -host.target.entity.source: +host.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: host-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object +host.entity.source: beta: This field is beta and subject to change. - dashed_name: host-target-entity-source + dashed_name: host-entity-source description: The module or integration that provided this entity data (similar to event.module). - flat_name: host.target.entity.source + flat_name: host.entity.source ignore_above: 1024 level: core name: source @@ -8717,16 +8146,16 @@ host.target.entity.source: original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword -host.target.entity.sub_type: +host.entity.sub_type: beta: This field is beta and subject to change. - dashed_name: host-target-entity-sub-type + dashed_name: host-entity-sub-type description: 'The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.' example: aws_s3_bucket - flat_name: host.target.entity.sub_type + flat_name: host.entity.sub_type ignore_above: 1024 level: extended name: sub_type @@ -8735,7 +8164,7 @@ host.target.entity.sub_type: short: The specific type designation for the entity as defined by its provider or system. type: keyword -host.target.entity.type: +host.entity.type: allowed_values: - description: Represents a storage container or bucket, typically used for object storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, @@ -8796,7 +8225,7 @@ host.target.entity.type: of containers or workloads. name: orchestrator beta: This field is beta and subject to change. - dashed_name: host-target-entity-type + dashed_name: host-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, @@ -8804,7 +8233,7 @@ host.target.entity.type: nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.' example: host - flat_name: host.target.entity.type + flat_name: host.entity.type ignore_above: 1024 level: core name: type @@ -8813,11 +8242,11 @@ host.target.entity.type: original_fieldset: entity short: Standardized high-level classification of the entity. type: keyword -host.target.geo.city_name: - dashed_name: host-target-geo-city-name +host.geo.city_name: + dashed_name: host-geo-city-name description: City name. example: Montreal - flat_name: host.target.geo.city_name + flat_name: host.geo.city_name ignore_above: 1024 level: core name: city_name @@ -8825,11 +8254,11 @@ host.target.geo.city_name: original_fieldset: geo short: City name. type: keyword -host.target.geo.continent_code: - dashed_name: host-target-geo-continent-code +host.geo.continent_code: + dashed_name: host-geo-continent-code description: Two-letter code representing continent's name. example: NA - flat_name: host.target.geo.continent_code + flat_name: host.geo.continent_code ignore_above: 1024 level: core name: continent_code @@ -8837,11 +8266,11 @@ host.target.geo.continent_code: original_fieldset: geo short: Continent code. type: keyword -host.target.geo.continent_name: - dashed_name: host-target-geo-continent-name +host.geo.continent_name: + dashed_name: host-geo-continent-name description: Name of the continent. example: North America - flat_name: host.target.geo.continent_name + flat_name: host.geo.continent_name ignore_above: 1024 level: core name: continent_name @@ -8849,11 +8278,11 @@ host.target.geo.continent_name: original_fieldset: geo short: Name of the continent. type: keyword -host.target.geo.country_iso_code: - dashed_name: host-target-geo-country-iso-code +host.geo.country_iso_code: + dashed_name: host-geo-country-iso-code description: Country ISO code. example: CA - flat_name: host.target.geo.country_iso_code + flat_name: host.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code @@ -8861,11 +8290,11 @@ host.target.geo.country_iso_code: original_fieldset: geo short: Country ISO code. type: keyword -host.target.geo.country_name: - dashed_name: host-target-geo-country-name +host.geo.country_name: + dashed_name: host-geo-country-name description: Country name. example: Canada - flat_name: host.target.geo.country_name + flat_name: host.geo.country_name ignore_above: 1024 level: core name: country_name @@ -8873,19 +8302,19 @@ host.target.geo.country_name: original_fieldset: geo short: Country name. type: keyword -host.target.geo.location: - dashed_name: host-target-geo-location +host.geo.location: + dashed_name: host-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: host.target.geo.location + flat_name: host.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point -host.target.geo.name: - dashed_name: host-target-geo-name +host.geo.name: + dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -8894,7 +8323,7 @@ host.target.geo.name: Not typically used in automated geolocation.' example: boston-dc - flat_name: host.target.geo.name + flat_name: host.geo.name ignore_above: 1024 level: extended name: name @@ -8902,14 +8331,14 @@ host.target.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword -host.target.geo.postal_code: - dashed_name: host-target-geo-postal-code +host.geo.postal_code: + dashed_name: host-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 - flat_name: host.target.geo.postal_code + flat_name: host.geo.postal_code ignore_above: 1024 level: core name: postal_code @@ -8917,11 +8346,11 @@ host.target.geo.postal_code: original_fieldset: geo short: Postal code. type: keyword -host.target.geo.region_iso_code: - dashed_name: host-target-geo-region-iso-code +host.geo.region_iso_code: + dashed_name: host-geo-region-iso-code description: Region ISO code. example: CA-QC - flat_name: host.target.geo.region_iso_code + flat_name: host.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code @@ -8929,11 +8358,11 @@ host.target.geo.region_iso_code: original_fieldset: geo short: Region ISO code. type: keyword -host.target.geo.region_name: - dashed_name: host-target-geo-region-name +host.geo.region_name: + dashed_name: host-geo-region-name description: Region name. example: Quebec - flat_name: host.target.geo.region_name + flat_name: host.geo.region_name ignore_above: 1024 level: core name: region_name @@ -8941,11 +8370,11 @@ host.target.geo.region_name: original_fieldset: geo short: Region name. type: keyword -host.target.geo.timezone: - dashed_name: host-target-geo-timezone +host.geo.timezone: + dashed_name: host-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires - flat_name: host.target.geo.timezone + flat_name: host.geo.timezone ignore_above: 1024 level: core name: timezone @@ -8953,129 +8382,148 @@ host.target.geo.timezone: original_fieldset: geo short: Time zone. type: keyword -host.target.hostname: - dashed_name: host-target-hostname +host.hostname: + dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - flat_name: host.target.hostname + flat_name: host.hostname ignore_above: 1024 level: core name: hostname normalize: [] - original_fieldset: host short: Hostname of the host. type: keyword -host.target.id: - dashed_name: host-target-id +host.id: + dashed_name: host-id description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - flat_name: host.target.id + flat_name: host.id ignore_above: 1024 level: core name: id normalize: [] - original_fieldset: host + otel: + - relation: match + stability: development short: Unique host id. type: keyword -host.target.ip: - dashed_name: host-target-ip +host.ip: + dashed_name: host-ip description: Host ip addresses. - flat_name: host.target.ip + flat_name: host.ip level: core name: ip normalize: - array - original_fieldset: host + otel: + - relation: match + stability: development short: Host ip addresses. synthetic_source_keep: none type: ip -host.target.mac: - dashed_name: host-target-mac +host.mac: + dashed_name: host-mac description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - flat_name: host.target.mac + flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array - original_fieldset: host + otel: + - relation: match + stability: development pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. synthetic_source_keep: none type: keyword -host.target.name: - dashed_name: host-target-name +host.name: + dashed_name: host-name description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - flat_name: host.target.name + flat_name: host.name ignore_above: 1024 level: core name: name normalize: [] - original_fieldset: host + otel: + - relation: match + stability: development short: Name of the host. type: keyword -host.target.network.egress.bytes: - dashed_name: host-target-network-egress-bytes +host.network.egress.bytes: + dashed_name: host-network-egress-bytes description: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.egress.bytes + flat_name: host.network.egress.bytes level: extended name: network.egress.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.network.io + relation: metric + stability: development short: The number of bytes sent on all network interfaces. type: long -host.target.network.egress.packets: - dashed_name: host-target-network-egress-packets +host.network.egress.packets: + dashed_name: host-network-egress-packets description: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.egress.packets + flat_name: host.network.egress.packets level: extended name: network.egress.packets normalize: [] - original_fieldset: host + otel: + - metric: system.network.packet.count + relation: metric + stability: development short: The number of packets sent on all network interfaces. type: long -host.target.network.ingress.bytes: - dashed_name: host-target-network-ingress-bytes +host.network.ingress.bytes: + dashed_name: host-network-ingress-bytes description: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.ingress.bytes + flat_name: host.network.ingress.bytes level: extended name: network.ingress.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.network.io + relation: metric + stability: development short: The number of bytes received on all network interfaces. type: long -host.target.network.ingress.packets: - dashed_name: host-target-network-ingress-packets +host.network.ingress.packets: + dashed_name: host-network-ingress-packets description: The number of packets (gauge) received on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.ingress.packets + flat_name: host.network.ingress.packets level: extended name: network.ingress.packets normalize: [] - original_fieldset: host + otel: + - metric: system.network.packet.count + relation: metric + stability: development short: The number of packets received on all network interfaces. type: long -host.target.os.family: - dashed_name: host-target-os-family +host.os.family: + dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). example: debian - flat_name: host.target.os.family + flat_name: host.os.family ignore_above: 1024 level: extended name: family @@ -9083,15 +8531,15 @@ host.target.os.family: original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). type: keyword -host.target.os.full: - dashed_name: host-target-os-full +host.os.full: + dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave - flat_name: host.target.os.full + flat_name: host.os.full ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.os.full.text + - flat_name: host.os.full.text name: text type: match_only_text name: full @@ -9099,11 +8547,11 @@ host.target.os.full: original_fieldset: os short: Operating system name, including the version or code name. type: keyword -host.target.os.kernel: - dashed_name: host-target-os-kernel +host.os.kernel: + dashed_name: host-os-kernel description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - flat_name: host.target.os.kernel + flat_name: host.os.kernel ignore_above: 1024 level: extended name: kernel @@ -9111,15 +8559,15 @@ host.target.os.kernel: original_fieldset: os short: Operating system kernel version as a raw string. type: keyword -host.target.os.name: - dashed_name: host-target-os-name +host.os.name: + dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X - flat_name: host.target.os.name + flat_name: host.os.name ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.os.name.text + - flat_name: host.os.name.text name: text type: match_only_text name: name @@ -9127,11 +8575,11 @@ host.target.os.name: original_fieldset: os short: Operating system name, without the version. type: keyword -host.target.os.platform: - dashed_name: host-target-os-platform +host.os.platform: + dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). example: darwin - flat_name: host.target.os.platform + flat_name: host.os.platform ignore_above: 1024 level: extended name: platform @@ -9139,8 +8587,8 @@ host.target.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword -host.target.os.type: - dashed_name: host-target-os-type +host.os.type: + dashed_name: host-os-type description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. @@ -9155,7 +8603,7 @@ host.target.os.type: - windows - ios - android - flat_name: host.target.os.type + flat_name: host.os.type ignore_above: 1024 level: extended name: type @@ -9164,11 +8612,11 @@ host.target.os.type: short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).' type: keyword -host.target.os.version: - dashed_name: host-target-os-version +host.os.version: + dashed_name: host-os-version description: Operating system version as a raw string. example: 10.14.1 - flat_name: host.target.os.version + flat_name: host.os.version ignore_above: 1024 level: extended name: version @@ -9176,25 +8624,24 @@ host.target.os.version: original_fieldset: os short: Operating system version as a raw string. type: keyword -host.target.pid_ns_ino: - dashed_name: host-target-pid-ns-ino +host.pid_ns_ino: + dashed_name: host-pid-ns-ino description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. example: 256383 - flat_name: host.target.pid_ns_ino + flat_name: host.pid_ns_ino ignore_above: 1024 level: extended name: pid_ns_ino normalize: [] - original_fieldset: host short: Pid namespace inode type: keyword -host.target.risk.calculated_level: - dashed_name: host-target-risk-calculated-level +host.risk.calculated_level: + dashed_name: host-risk-calculated-level description: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. example: High - flat_name: host.target.risk.calculated_level + flat_name: host.risk.calculated_level ignore_above: 1024 level: extended name: calculated_level @@ -9203,12 +8650,12 @@ host.target.risk.calculated_level: short: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword -host.target.risk.calculated_score: - dashed_name: host-target-risk-calculated-score +host.risk.calculated_score: + dashed_name: host-risk-calculated-score description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. example: 880.73 - flat_name: host.target.risk.calculated_score + flat_name: host.risk.calculated_score level: extended name: calculated_score normalize: [] @@ -9216,25 +8663,25 @@ host.target.risk.calculated_score: short: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float -host.target.risk.calculated_score_norm: - dashed_name: host-target-risk-calculated-score-norm +host.risk.calculated_score_norm: + dashed_name: host-risk-calculated-score-norm description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. example: 88.73 - flat_name: host.target.risk.calculated_score_norm + flat_name: host.risk.calculated_score_norm level: extended name: calculated_score_norm normalize: [] original_fieldset: risk short: A normalized risk score calculated by an internal system. type: float -host.target.risk.static_level: - dashed_name: host-target-risk-static-level +host.risk.static_level: + dashed_name: host-risk-static-level description: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. example: High - flat_name: host.target.risk.static_level + flat_name: host.risk.static_level ignore_above: 1024 level: extended name: static_level @@ -9243,12 +8690,12 @@ host.target.risk.static_level: short: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword -host.target.risk.static_score: - dashed_name: host-target-risk-static-score +host.risk.static_score: + dashed_name: host-risk-static-score description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. example: 830.0 - flat_name: host.target.risk.static_score + flat_name: host.risk.static_score level: extended name: static_score normalize: [] @@ -9256,44 +8703,19 @@ host.target.risk.static_score: short: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float -host.target.risk.static_score_norm: - dashed_name: host-target-risk-static-score-norm +host.risk.static_score_norm: + dashed_name: host-risk-static-score-norm description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. example: 83.0 - flat_name: host.target.risk.static_score_norm + flat_name: host.risk.static_score_norm level: extended name: static_score_norm normalize: [] original_fieldset: risk short: A normalized risk score calculated by an external system. type: float -host.target.type: - dashed_name: host-target-type - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this - could be the container, for example, or other information meaningful in your environment.' - flat_name: host.target.type - ignore_above: 1024 - level: core - name: type - normalize: [] - original_fieldset: host - short: Type of host. - type: keyword -host.target.uptime: - dashed_name: host-target-uptime - description: Seconds the host has been up. - example: 1325 - flat_name: host.target.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: host - short: Seconds the host has been up. - type: long host.type: dashed_name: host-type description: 'Type of host. @@ -10778,6 +10200,20 @@ orchestrator.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +orchestrator.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: orchestrator-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: orchestrator.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object orchestrator.entity.source: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-source @@ -17258,6 +16694,20 @@ service.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +service.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: service.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.entity.source: beta: This field is beta and subject to change. dashed_name: service-entity-source @@ -17678,6 +17128,20 @@ service.origin.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +service.origin.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-origin-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: service.origin.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.origin.entity.source: beta: This field is beta and subject to change. dashed_name: service-origin-entity-source @@ -18147,6 +17611,20 @@ service.target.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +service.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-target-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: service.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.target.entity.source: beta: This field is beta and subject to change. dashed_name: service-target-entity-source @@ -26110,6 +25588,20 @@ user.changes.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +user.changes.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-changes-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: user.changes.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.changes.entity.source: beta: This field is beta and subject to change. dashed_name: user-changes-entity-source @@ -26593,6 +26085,20 @@ user.effective.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +user.effective.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-effective-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: user.effective.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.effective.entity.source: beta: This field is beta and subject to change. dashed_name: user-effective-entity-source @@ -27053,6 +26559,20 @@ user.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +user.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: user.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.entity.source: beta: This field is beta and subject to change. dashed_name: user-entity-source @@ -27534,6 +27054,20 @@ user.target.entity.reference: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword +user.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-target-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: user.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.target.entity.source: beta: This field is beta and subject to change. dashed_name: user-target-entity-source diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 05f243bb94..d8e8e724e6 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -971,6 +971,20 @@ cloud: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + cloud.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: cloud.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-entity-source @@ -1310,6 +1324,20 @@ cloud: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + cloud.origin.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-origin-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: cloud.origin.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.origin.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-source @@ -1795,6 +1823,20 @@ cloud: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + cloud.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: cloud-target-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: cloud.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object cloud.target.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-source @@ -5026,6 +5068,99 @@ entity: normalize: [] short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + entity.relationship: + beta: This field is beta and subject to change. + dashed_name: entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: entity.relationship + level: extended + name: relationship + normalize: [] + short: A set of relationship attributes that can vary between entity types. + type: object + entity.risk.calculated_level: + dashed_name: entity-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: entity.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + entity.risk.calculated_score: + dashed_name: entity-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: entity.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + entity.risk.calculated_score_norm: + dashed_name: entity-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: entity.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + entity.risk.static_level: + dashed_name: entity-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: entity.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + entity.risk.static_score: + dashed_name: entity-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: entity.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + entity.risk.static_score_norm: + dashed_name: entity-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: entity.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float entity.source: beta: This field is beta and subject to change. dashed_name: entity-source @@ -5208,6 +5343,100 @@ entity: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + entity.target.relationship: + beta: This field is beta and subject to change. + dashed_name: entity-target-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: entity.target.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object + entity.target.risk.calculated_level: + dashed_name: entity-target-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: entity.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + entity.target.risk.calculated_score: + dashed_name: entity-target-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: entity.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + entity.target.risk.calculated_score_norm: + dashed_name: entity-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: entity.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + entity.target.risk.static_level: + dashed_name: entity-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: entity.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + entity.target.risk.static_score: + dashed_name: entity-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: entity.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + entity.target.risk.static_score_norm: + dashed_name: entity-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: entity.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float entity.target.source: beta: This field is beta and subject to change. dashed_name: entity-target-source @@ -5408,6 +5637,7 @@ entity: group: 2 name: entity nestings: + - entity.risk - entity.target prefix: entity. reusable: @@ -5433,6 +5663,9 @@ entity: short_override: Targeted entity of action taken. top_level: true reused_here: + - full: entity.risk + schema_name: risk + short: Fields for describing risk score and level. - full: entity.target schema_name: entity short: Targeted entity of action taken. @@ -9263,886 +9496,64 @@ host: name: disk.read.bytes normalize: [] otel: - - metric: system.disk.io - relation: metric - stability: development - short: The number of bytes read by all disks. - type: long - host.disk.write.bytes: - dashed_name: host-disk-write-bytes - description: The total number of bytes (gauge) written successfully (aggregated - from all disks) since the last metric collection. - flat_name: host.disk.write.bytes - level: extended - name: disk.write.bytes - normalize: [] - otel: - - metric: system.disk.io - relation: metric - stability: development - short: The number of bytes written on all disks. - type: long - host.domain: - dashed_name: host-domain - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain - or NetBIOS domain name. For Linux this could be the domain of the host''s - LDAP provider.' - example: CONTOSO - flat_name: host.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - short: Name of the directory the group is a member of. - type: keyword - host.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: host-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: host.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - host.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: host-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: host.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - host.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: host-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: host.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - host.entity.id: - dashed_name: host-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: host.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - host.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: host-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: host.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - host.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: host-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: host.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - host.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: host-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: host.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - host.entity.name: - beta: This field is beta and subject to change. - dashed_name: host-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: host.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: host.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - host.entity.raw: - beta: This field is beta and subject to change. - dashed_name: host-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: host.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - host.entity.reference: - beta: This field is beta and subject to change. - dashed_name: host-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: host.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - host.entity.source: - beta: This field is beta and subject to change. - dashed_name: host-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: host.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - host.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: host-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: host.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - host.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: host-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, or similar, - its type array should include the matching value — for example, `host` or - `cloud`.' - example: host - flat_name: host.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - host.geo.city_name: - dashed_name: host-geo-city-name - description: City name. - example: Montreal - flat_name: host.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - host.geo.continent_code: - dashed_name: host-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: host.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - host.geo.continent_name: - dashed_name: host-geo-continent-name - description: Name of the continent. - example: North America - flat_name: host.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - host.geo.country_iso_code: - dashed_name: host-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: host.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - host.geo.country_name: - dashed_name: host-geo-country-name - description: Country name. - example: Canada - flat_name: host.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - host.geo.location: - dashed_name: host-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: host.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - host.geo.name: - dashed_name: host-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: host.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - host.geo.postal_code: - dashed_name: host-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: host.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - host.geo.region_iso_code: - dashed_name: host-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: host.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - host.geo.region_name: - dashed_name: host-geo-region-name - description: Region name. - example: Quebec - flat_name: host.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - host.geo.timezone: - dashed_name: host-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: host.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - host.hostname: - dashed_name: host-hostname - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - flat_name: host.hostname - ignore_above: 1024 - level: core - name: hostname - normalize: [] - short: Hostname of the host. - type: keyword - host.id: - dashed_name: host-id - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - flat_name: host.id - ignore_above: 1024 - level: core - name: id - normalize: [] - otel: - - relation: match - stability: development - short: Unique host id. - type: keyword - host.ip: - dashed_name: host-ip - description: Host ip addresses. - flat_name: host.ip - level: core - name: ip - normalize: - - array - otel: - - relation: match - stability: development - short: Host ip addresses. - synthetic_source_keep: none - type: ip - host.mac: - dashed_name: host-mac - description: 'Host MAC addresses. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - flat_name: host.mac - ignore_above: 1024 - level: core - name: mac - normalize: - - array - otel: - - relation: match - stability: development - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: Host MAC addresses. - synthetic_source_keep: none - type: keyword - host.name: - dashed_name: host-name - description: 'Name of the host. - - It can contain what hostname returns on Unix systems, the fully qualified - domain name (FQDN), or a name specified by the user. The recommended value - is the lowercase FQDN of the host.' - flat_name: host.name - ignore_above: 1024 - level: core - name: name - normalize: [] - otel: - - relation: match - stability: development - short: Name of the host. - type: keyword - host.network.egress.bytes: - dashed_name: host-network-egress-bytes - description: The number of bytes (gauge) sent out on all network interfaces - by the host since the last metric collection. - flat_name: host.network.egress.bytes - level: extended - name: network.egress.bytes - normalize: [] - otel: - - metric: system.network.io - relation: metric - stability: development - short: The number of bytes sent on all network interfaces. - type: long - host.network.egress.packets: - dashed_name: host-network-egress-packets - description: The number of packets (gauge) sent out on all network interfaces - by the host since the last metric collection. - flat_name: host.network.egress.packets - level: extended - name: network.egress.packets - normalize: [] - otel: - - metric: system.network.packet.count - relation: metric - stability: development - short: The number of packets sent on all network interfaces. - type: long - host.network.ingress.bytes: - dashed_name: host-network-ingress-bytes - description: The number of bytes received (gauge) on all network interfaces - by the host since the last metric collection. - flat_name: host.network.ingress.bytes - level: extended - name: network.ingress.bytes - normalize: [] - otel: - - metric: system.network.io - relation: metric - stability: development - short: The number of bytes received on all network interfaces. - type: long - host.network.ingress.packets: - dashed_name: host-network-ingress-packets - description: The number of packets (gauge) received on all network interfaces - by the host since the last metric collection. - flat_name: host.network.ingress.packets - level: extended - name: network.ingress.packets - normalize: [] - otel: - - metric: system.network.packet.count - relation: metric - stability: development - short: The number of packets received on all network interfaces. - type: long - host.os.family: - dashed_name: host-os-family - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - flat_name: host.os.family - ignore_above: 1024 - level: extended - name: family - normalize: [] - original_fieldset: os - short: OS family (such as redhat, debian, freebsd, windows). - type: keyword - host.os.full: - dashed_name: host-os-full - description: Operating system name, including the version or code name. - example: Mac OS Mojave - flat_name: host.os.full - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.os.full.text - name: text - type: match_only_text - name: full - normalize: [] - original_fieldset: os - short: Operating system name, including the version or code name. - type: keyword - host.os.kernel: - dashed_name: host-os-kernel - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - flat_name: host.os.kernel - ignore_above: 1024 - level: extended - name: kernel - normalize: [] - original_fieldset: os - short: Operating system kernel version as a raw string. - type: keyword - host.os.name: - dashed_name: host-os-name - description: Operating system name, without the version. - example: Mac OS X - flat_name: host.os.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: host.os.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: os - short: Operating system name, without the version. - type: keyword - host.os.platform: - dashed_name: host-os-platform - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - flat_name: host.os.platform - ignore_above: 1024 - level: extended - name: platform - normalize: [] - original_fieldset: os - short: Operating system platform (such centos, ubuntu, windows). - type: keyword - host.os.type: - dashed_name: host-os-type - description: 'Use the `os.type` field to categorize the operating system into - one of the broad commercial families. - - If the OS you''re dealing with is not listed as an expected value, the field - should not be populated. Please let us know by opening an issue with ECS, - to propose its addition.' - example: macos - expected_values: - - linux - - macos - - unix - - windows - - ios - - android - flat_name: host.os.type - ignore_above: 1024 - level: extended - name: type - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios - or android).' - type: keyword - host.os.version: - dashed_name: host-os-version - description: Operating system version as a raw string. - example: 10.14.1 - flat_name: host.os.version - ignore_above: 1024 - level: extended - name: version - normalize: [] - original_fieldset: os - short: Operating system version as a raw string. - type: keyword - host.pid_ns_ino: - dashed_name: host-pid-ns-ino - description: This is the inode number of the namespace in the namespace file - system (nsfs). Unsigned int inum in include/linux/ns_common.h. - example: 256383 - flat_name: host.pid_ns_ino - ignore_above: 1024 - level: extended - name: pid_ns_ino - normalize: [] - short: Pid namespace inode - type: keyword - host.risk.calculated_level: - dashed_name: host-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: host.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - host.risk.calculated_score: - dashed_name: host-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: host.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - host.risk.calculated_score_norm: - dashed_name: host-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: host.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - host.risk.static_level: - dashed_name: host-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: host.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - host.risk.static_score: - dashed_name: host-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: host.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - host.risk.static_score_norm: - dashed_name: host-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: host.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - host.target.architecture: - dashed_name: host-target-architecture - description: Operating system architecture. - example: x86_64 - flat_name: host.target.architecture - ignore_above: 1024 - level: core - name: architecture - normalize: [] - original_fieldset: host - short: Operating system architecture. - type: keyword - host.target.boot.id: - dashed_name: host-target-boot-id - description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note - the boot_id value from /proc may or may not be the same in containers as on - the host. Some container runtimes will bind mount a new boot_id value onto - the proc file in each container. - example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 - flat_name: host.target.boot.id - ignore_above: 1024 - level: extended - name: boot.id - normalize: [] - original_fieldset: host - short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id - type: keyword - host.target.cpu.usage: - dashed_name: host-target-cpu-usage - description: 'Percent CPU used which is normalized by the number of CPU cores - and it ranges from 0 to 1. - - Scaling factor: 1000. - - For example: For a two core host, this value should be the average of the - two cores, between 0 and 1.' - flat_name: host.target.cpu.usage - level: extended - name: cpu.usage - normalize: [] - original_fieldset: host - scaling_factor: 1000 - short: Percent CPU used, between 0 and 1. - type: scaled_float - host.target.disk.read.bytes: - dashed_name: host-target-disk-read-bytes - description: The total number of bytes (gauge) read successfully (aggregated - from all disks) since the last metric collection. - flat_name: host.target.disk.read.bytes - level: extended - name: disk.read.bytes - normalize: [] - original_fieldset: host + - metric: system.disk.io + relation: metric + stability: development short: The number of bytes read by all disks. type: long - host.target.disk.write.bytes: - dashed_name: host-target-disk-write-bytes + host.disk.write.bytes: + dashed_name: host-disk-write-bytes description: The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. - flat_name: host.target.disk.write.bytes + flat_name: host.disk.write.bytes level: extended name: disk.write.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.disk.io + relation: metric + stability: development short: The number of bytes written on all disks. type: long - host.target.domain: - dashed_name: host-target-domain + host.domain: + dashed_name: host-domain description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO - flat_name: host.target.domain + flat_name: host.domain ignore_above: 1024 level: extended name: domain normalize: [] - original_fieldset: host short: Name of the directory the group is a member of. type: keyword - host.target.entity.attributes: + host.entity.attributes: beta: This field is beta and subject to change. - dashed_name: host-target-entity-attributes + dashed_name: host-entity-attributes description: A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.attributes + flat_name: host.entity.attributes level: extended name: attributes normalize: [] original_fieldset: entity short: A set of static or semi-static attributes of the entity. type: object - host.target.entity.behavior: + host.entity.behavior: beta: This field is beta and subject to change. - dashed_name: host-target-entity-behavior + dashed_name: host-entity-behavior description: A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.behavior + flat_name: host.entity.behavior level: extended name: behavior normalize: [] @@ -10150,17 +9561,17 @@ host: short: A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. type: object - host.target.entity.display_name: + host.entity.display_name: beta: This field is beta and subject to change. - dashed_name: host-target-entity-display-name + dashed_name: host-entity-display-name description: An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`). - flat_name: host.target.entity.display_name + flat_name: host.entity.display_name ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.entity.display_name.text + - flat_name: host.entity.display_name.text name: text type: match_only_text name: display_name @@ -10169,8 +9580,8 @@ host: short: An optional field used when a pretty name is desired for entity-centric operations. type: keyword - host.target.entity.id: - dashed_name: host-target-entity-id + host.entity.id: + dashed_name: host-entity-id description: 'A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity''s lifecycle, 2) ensures uniqueness within its @@ -10179,7 +9590,7 @@ host: field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: host.target.entity.id + flat_name: host.entity.id ignore_above: 1024 level: core name: id @@ -10187,56 +9598,56 @@ host: original_fieldset: entity short: Unique identifier for the entity. type: keyword - host.target.entity.last_seen_timestamp: + host.entity.last_seen_timestamp: beta: This field is beta and subject to change. - dashed_name: host-target-entity-last-seen-timestamp + dashed_name: host-entity-last-seen-timestamp description: Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity. - flat_name: host.target.entity.last_seen_timestamp + flat_name: host.entity.last_seen_timestamp level: extended name: last_seen_timestamp normalize: [] original_fieldset: entity short: Indicates the date/time when this entity was last "seen." type: date - host.target.entity.lifecycle: + host.entity.lifecycle: beta: This field is beta and subject to change. - dashed_name: host-target-entity-lifecycle + dashed_name: host-entity-lifecycle description: A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. - flat_name: host.target.entity.lifecycle + flat_name: host.entity.lifecycle level: extended name: lifecycle normalize: [] original_fieldset: entity short: A set of temporal characteristics of the entity. type: object - host.target.entity.metrics: + host.entity.metrics: beta: This field is beta and subject to change. - dashed_name: host-target-entity-metrics + dashed_name: host-entity-metrics description: Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping. - flat_name: host.target.entity.metrics + flat_name: host.entity.metrics level: extended name: metrics normalize: [] original_fieldset: entity short: Field set for any fields containing numeric entity metrics. type: object - host.target.entity.name: + host.entity.name: beta: This field is beta and subject to change. - dashed_name: host-target-entity-name + dashed_name: host-entity-name description: The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. - flat_name: host.target.entity.name + flat_name: host.entity.name ignore_above: 1024 level: core multi_fields: - - flat_name: host.target.entity.name.text + - flat_name: host.entity.name.text name: text type: match_only_text name: name @@ -10244,27 +9655,27 @@ host: original_fieldset: entity short: The name of the entity. type: keyword - host.target.entity.raw: + host.entity.raw: beta: This field is beta and subject to change. - dashed_name: host-target-entity-raw + dashed_name: host-entity-raw description: Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. - flat_name: host.target.entity.raw + flat_name: host.entity.raw level: extended name: raw normalize: [] original_fieldset: entity short: Original, unmodified fields from the source system. type: object - host.target.entity.reference: + host.entity.reference: beta: This field is beta and subject to change. - dashed_name: host-target-entity-reference + dashed_name: host-entity-reference description: A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. - flat_name: host.target.entity.reference + flat_name: host.entity.reference ignore_above: 1024 level: extended name: reference @@ -10272,12 +9683,26 @@ host: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword - host.target.entity.source: + host.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: host-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: host.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object + host.entity.source: beta: This field is beta and subject to change. - dashed_name: host-target-entity-source + dashed_name: host-entity-source description: The module or integration that provided this entity data (similar to event.module). - flat_name: host.target.entity.source + flat_name: host.entity.source ignore_above: 1024 level: core name: source @@ -10285,16 +9710,16 @@ host: original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword - host.target.entity.sub_type: + host.entity.sub_type: beta: This field is beta and subject to change. - dashed_name: host-target-entity-sub-type + dashed_name: host-entity-sub-type description: 'The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.' example: aws_s3_bucket - flat_name: host.target.entity.sub_type + flat_name: host.entity.sub_type ignore_above: 1024 level: extended name: sub_type @@ -10303,7 +9728,7 @@ host: short: The specific type designation for the entity as defined by its provider or system. type: keyword - host.target.entity.type: + host.entity.type: allowed_values: - description: Represents a storage container or bucket, typically used for object storage. Common examples include AWS S3 buckets, Google Cloud Storage @@ -10366,7 +9791,7 @@ host: and networking of containers or workloads. name: orchestrator beta: This field is beta and subject to change. - dashed_name: host-target-entity-type + dashed_name: host-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, @@ -10375,7 +9800,7 @@ host: its type array should include the matching value — for example, `host` or `cloud`.' example: host - flat_name: host.target.entity.type + flat_name: host.entity.type ignore_above: 1024 level: core name: type @@ -10384,11 +9809,11 @@ host: original_fieldset: entity short: Standardized high-level classification of the entity. type: keyword - host.target.geo.city_name: - dashed_name: host-target-geo-city-name + host.geo.city_name: + dashed_name: host-geo-city-name description: City name. example: Montreal - flat_name: host.target.geo.city_name + flat_name: host.geo.city_name ignore_above: 1024 level: core name: city_name @@ -10396,11 +9821,11 @@ host: original_fieldset: geo short: City name. type: keyword - host.target.geo.continent_code: - dashed_name: host-target-geo-continent-code + host.geo.continent_code: + dashed_name: host-geo-continent-code description: Two-letter code representing continent's name. example: NA - flat_name: host.target.geo.continent_code + flat_name: host.geo.continent_code ignore_above: 1024 level: core name: continent_code @@ -10408,11 +9833,11 @@ host: original_fieldset: geo short: Continent code. type: keyword - host.target.geo.continent_name: - dashed_name: host-target-geo-continent-name + host.geo.continent_name: + dashed_name: host-geo-continent-name description: Name of the continent. example: North America - flat_name: host.target.geo.continent_name + flat_name: host.geo.continent_name ignore_above: 1024 level: core name: continent_name @@ -10420,11 +9845,11 @@ host: original_fieldset: geo short: Name of the continent. type: keyword - host.target.geo.country_iso_code: - dashed_name: host-target-geo-country-iso-code + host.geo.country_iso_code: + dashed_name: host-geo-country-iso-code description: Country ISO code. example: CA - flat_name: host.target.geo.country_iso_code + flat_name: host.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code @@ -10432,11 +9857,11 @@ host: original_fieldset: geo short: Country ISO code. type: keyword - host.target.geo.country_name: - dashed_name: host-target-geo-country-name + host.geo.country_name: + dashed_name: host-geo-country-name description: Country name. example: Canada - flat_name: host.target.geo.country_name + flat_name: host.geo.country_name ignore_above: 1024 level: core name: country_name @@ -10444,19 +9869,19 @@ host: original_fieldset: geo short: Country name. type: keyword - host.target.geo.location: - dashed_name: host-target-geo-location + host.geo.location: + dashed_name: host-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: host.target.geo.location + flat_name: host.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point - host.target.geo.name: - dashed_name: host-target-geo-name + host.geo.name: + dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -10465,7 +9890,7 @@ host: Not typically used in automated geolocation.' example: boston-dc - flat_name: host.target.geo.name + flat_name: host.geo.name ignore_above: 1024 level: extended name: name @@ -10473,14 +9898,14 @@ host: original_fieldset: geo short: User-defined description of a location. type: keyword - host.target.geo.postal_code: - dashed_name: host-target-geo-postal-code + host.geo.postal_code: + dashed_name: host-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 - flat_name: host.target.geo.postal_code + flat_name: host.geo.postal_code ignore_above: 1024 level: core name: postal_code @@ -10488,11 +9913,11 @@ host: original_fieldset: geo short: Postal code. type: keyword - host.target.geo.region_iso_code: - dashed_name: host-target-geo-region-iso-code + host.geo.region_iso_code: + dashed_name: host-geo-region-iso-code description: Region ISO code. example: CA-QC - flat_name: host.target.geo.region_iso_code + flat_name: host.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code @@ -10500,11 +9925,11 @@ host: original_fieldset: geo short: Region ISO code. type: keyword - host.target.geo.region_name: - dashed_name: host-target-geo-region-name + host.geo.region_name: + dashed_name: host-geo-region-name description: Region name. example: Quebec - flat_name: host.target.geo.region_name + flat_name: host.geo.region_name ignore_above: 1024 level: core name: region_name @@ -10512,11 +9937,11 @@ host: original_fieldset: geo short: Region name. type: keyword - host.target.geo.timezone: - dashed_name: host-target-geo-timezone + host.geo.timezone: + dashed_name: host-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires - flat_name: host.target.geo.timezone + flat_name: host.geo.timezone ignore_above: 1024 level: core name: timezone @@ -10524,48 +9949,51 @@ host: original_fieldset: geo short: Time zone. type: keyword - host.target.hostname: - dashed_name: host-target-hostname + host.hostname: + dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - flat_name: host.target.hostname + flat_name: host.hostname ignore_above: 1024 level: core name: hostname normalize: [] - original_fieldset: host short: Hostname of the host. type: keyword - host.target.id: - dashed_name: host-target-id + host.id: + dashed_name: host-id description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - flat_name: host.target.id + flat_name: host.id ignore_above: 1024 level: core name: id normalize: [] - original_fieldset: host + otel: + - relation: match + stability: development short: Unique host id. type: keyword - host.target.ip: - dashed_name: host-target-ip + host.ip: + dashed_name: host-ip description: Host ip addresses. - flat_name: host.target.ip + flat_name: host.ip level: core name: ip normalize: - array - original_fieldset: host + otel: + - relation: match + stability: development short: Host ip addresses. synthetic_source_keep: none type: ip - host.target.mac: - dashed_name: host-target-mac + host.mac: + dashed_name: host-mac description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit @@ -10573,81 +10001,97 @@ host: of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - flat_name: host.target.mac + flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array - original_fieldset: host + otel: + - relation: match + stability: development pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. synthetic_source_keep: none type: keyword - host.target.name: - dashed_name: host-target-name + host.name: + dashed_name: host-name description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - flat_name: host.target.name + flat_name: host.name ignore_above: 1024 level: core name: name normalize: [] - original_fieldset: host + otel: + - relation: match + stability: development short: Name of the host. type: keyword - host.target.network.egress.bytes: - dashed_name: host-target-network-egress-bytes + host.network.egress.bytes: + dashed_name: host-network-egress-bytes description: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.egress.bytes + flat_name: host.network.egress.bytes level: extended name: network.egress.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.network.io + relation: metric + stability: development short: The number of bytes sent on all network interfaces. type: long - host.target.network.egress.packets: - dashed_name: host-target-network-egress-packets + host.network.egress.packets: + dashed_name: host-network-egress-packets description: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.egress.packets + flat_name: host.network.egress.packets level: extended name: network.egress.packets normalize: [] - original_fieldset: host + otel: + - metric: system.network.packet.count + relation: metric + stability: development short: The number of packets sent on all network interfaces. type: long - host.target.network.ingress.bytes: - dashed_name: host-target-network-ingress-bytes + host.network.ingress.bytes: + dashed_name: host-network-ingress-bytes description: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.ingress.bytes + flat_name: host.network.ingress.bytes level: extended name: network.ingress.bytes normalize: [] - original_fieldset: host + otel: + - metric: system.network.io + relation: metric + stability: development short: The number of bytes received on all network interfaces. type: long - host.target.network.ingress.packets: - dashed_name: host-target-network-ingress-packets + host.network.ingress.packets: + dashed_name: host-network-ingress-packets description: The number of packets (gauge) received on all network interfaces by the host since the last metric collection. - flat_name: host.target.network.ingress.packets + flat_name: host.network.ingress.packets level: extended name: network.ingress.packets normalize: [] - original_fieldset: host + otel: + - metric: system.network.packet.count + relation: metric + stability: development short: The number of packets received on all network interfaces. type: long - host.target.os.family: - dashed_name: host-target-os-family + host.os.family: + dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). example: debian - flat_name: host.target.os.family + flat_name: host.os.family ignore_above: 1024 level: extended name: family @@ -10655,15 +10099,15 @@ host: original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). type: keyword - host.target.os.full: - dashed_name: host-target-os-full + host.os.full: + dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave - flat_name: host.target.os.full + flat_name: host.os.full ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.os.full.text + - flat_name: host.os.full.text name: text type: match_only_text name: full @@ -10671,11 +10115,11 @@ host: original_fieldset: os short: Operating system name, including the version or code name. type: keyword - host.target.os.kernel: - dashed_name: host-target-os-kernel + host.os.kernel: + dashed_name: host-os-kernel description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - flat_name: host.target.os.kernel + flat_name: host.os.kernel ignore_above: 1024 level: extended name: kernel @@ -10683,15 +10127,15 @@ host: original_fieldset: os short: Operating system kernel version as a raw string. type: keyword - host.target.os.name: - dashed_name: host-target-os-name + host.os.name: + dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X - flat_name: host.target.os.name + flat_name: host.os.name ignore_above: 1024 level: extended multi_fields: - - flat_name: host.target.os.name.text + - flat_name: host.os.name.text name: text type: match_only_text name: name @@ -10699,11 +10143,11 @@ host: original_fieldset: os short: Operating system name, without the version. type: keyword - host.target.os.platform: - dashed_name: host-target-os-platform + host.os.platform: + dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). example: darwin - flat_name: host.target.os.platform + flat_name: host.os.platform ignore_above: 1024 level: extended name: platform @@ -10711,8 +10155,8 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword - host.target.os.type: - dashed_name: host-target-os-type + host.os.type: + dashed_name: host-os-type description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. @@ -10727,7 +10171,7 @@ host: - windows - ios - android - flat_name: host.target.os.type + flat_name: host.os.type ignore_above: 1024 level: extended name: type @@ -10736,11 +10180,11 @@ host: short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).' type: keyword - host.target.os.version: - dashed_name: host-target-os-version + host.os.version: + dashed_name: host-os-version description: Operating system version as a raw string. example: 10.14.1 - flat_name: host.target.os.version + flat_name: host.os.version ignore_above: 1024 level: extended name: version @@ -10748,25 +10192,24 @@ host: original_fieldset: os short: Operating system version as a raw string. type: keyword - host.target.pid_ns_ino: - dashed_name: host-target-pid-ns-ino + host.pid_ns_ino: + dashed_name: host-pid-ns-ino description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. example: 256383 - flat_name: host.target.pid_ns_ino + flat_name: host.pid_ns_ino ignore_above: 1024 level: extended name: pid_ns_ino normalize: [] - original_fieldset: host short: Pid namespace inode type: keyword - host.target.risk.calculated_level: - dashed_name: host-target-risk-calculated-level + host.risk.calculated_level: + dashed_name: host-risk-calculated-level description: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. example: High - flat_name: host.target.risk.calculated_level + flat_name: host.risk.calculated_level ignore_above: 1024 level: extended name: calculated_level @@ -10775,12 +10218,12 @@ host: short: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. type: keyword - host.target.risk.calculated_score: - dashed_name: host-target-risk-calculated-score + host.risk.calculated_score: + dashed_name: host-risk-calculated-score description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. example: 880.73 - flat_name: host.target.risk.calculated_score + flat_name: host.risk.calculated_score level: extended name: calculated_score normalize: [] @@ -10788,25 +10231,25 @@ host: short: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. type: float - host.target.risk.calculated_score_norm: - dashed_name: host-target-risk-calculated-score-norm + host.risk.calculated_score_norm: + dashed_name: host-risk-calculated-score-norm description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. example: 88.73 - flat_name: host.target.risk.calculated_score_norm + flat_name: host.risk.calculated_score_norm level: extended name: calculated_score_norm normalize: [] original_fieldset: risk short: A normalized risk score calculated by an internal system. type: float - host.target.risk.static_level: - dashed_name: host-target-risk-static-level + host.risk.static_level: + dashed_name: host-risk-static-level description: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. example: High - flat_name: host.target.risk.static_level + flat_name: host.risk.static_level ignore_above: 1024 level: extended name: static_level @@ -10815,12 +10258,12 @@ host: short: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. type: keyword - host.target.risk.static_score: - dashed_name: host-target-risk-static-score + host.risk.static_score: + dashed_name: host-risk-static-score description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. example: 830.0 - flat_name: host.target.risk.static_score + flat_name: host.risk.static_score level: extended name: static_score normalize: [] @@ -10828,45 +10271,19 @@ host: short: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. type: float - host.target.risk.static_score_norm: - dashed_name: host-target-risk-static-score-norm + host.risk.static_score_norm: + dashed_name: host-risk-static-score-norm description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. example: 83.0 - flat_name: host.target.risk.static_score_norm + flat_name: host.risk.static_score_norm level: extended name: static_score_norm normalize: [] original_fieldset: risk short: A normalized risk score calculated by an external system. type: float - host.target.type: - dashed_name: host-target-type - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, - this could be the container, for example, or other information meaningful - in your environment.' - flat_name: host.target.type - ignore_above: 1024 - level: core - name: type - normalize: [] - original_fieldset: host - short: Type of host. - type: keyword - host.target.uptime: - dashed_name: host-target-uptime - description: Seconds the host has been up. - example: 1325 - flat_name: host.target.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: host - short: Seconds the host has been up. - type: long host.type: dashed_name: host-type description: 'Type of host. @@ -10905,15 +10322,7 @@ host: - host.geo - host.os - host.risk - - host.target prefix: host. - reusable: - expected: - - as: target - at: host - full: host.target - short_override: Targeted host of action taken. - top_level: true reused_here: - full: host.entity schema_name: entity @@ -10927,9 +10336,6 @@ host: - full: host.risk schema_name: risk short: Fields for describing risk score and level. - - full: host.target - schema_name: host - short: Targeted host of action taken. short: Fields describing the relevant computing instance. title: Host type: group @@ -12717,6 +12123,20 @@ orchestrator: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + orchestrator.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: orchestrator-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: orchestrator.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object orchestrator.entity.source: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-source @@ -19242,6 +18662,9 @@ risk: - as: risk at: user full: user.risk + - as: risk + at: entity + full: entity.risk top_level: false short: Fields for describing risk score and level. title: Risk information @@ -20065,6 +19488,20 @@ service: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + service.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: service.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.entity.source: beta: This field is beta and subject to change. dashed_name: service-entity-source @@ -20493,6 +19930,20 @@ service: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + service.origin.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-origin-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: service.origin.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.origin.entity.source: beta: This field is beta and subject to change. dashed_name: service-origin-entity-source @@ -20970,6 +20421,20 @@ service: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + service.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: service-target-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: service.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object service.target.entity.source: beta: This field is beta and subject to change. dashed_name: service-target-entity-source @@ -29172,6 +28637,20 @@ user: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + user.changes.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-changes-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: user.changes.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.changes.entity.source: beta: This field is beta and subject to change. dashed_name: user-changes-entity-source @@ -29661,6 +29140,20 @@ user: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + user.effective.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-effective-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: user.effective.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.effective.entity.source: beta: This field is beta and subject to change. dashed_name: user-effective-entity-source @@ -30127,6 +29620,20 @@ user: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + user.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: user.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.entity.source: beta: This field is beta and subject to change. dashed_name: user-entity-source @@ -30614,6 +30121,20 @@ user: original_fieldset: entity short: A URI, URL, or other direct reference to access or locate the entity. type: keyword + user.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: user-target-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: user.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object user.target.entity.source: beta: This field is beta and subject to change. dashed_name: user-target-entity-source diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json index 55294fe4f7..d3b9b02cd5 100644 --- a/generated/elasticsearch/composable/component/cloud.json +++ b/generated/elasticsearch/composable/component/cloud.json @@ -70,6 +70,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -168,6 +171,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -324,6 +330,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/entity.json b/generated/elasticsearch/composable/component/entity.json index 7620b87cac..3f3483f440 100644 --- a/generated/elasticsearch/composable/component/entity.json +++ b/generated/elasticsearch/composable/component/entity.json @@ -52,6 +52,33 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -106,6 +133,33 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json index 0e8543d3cc..13dc2d1f63 100644 --- a/generated/elasticsearch/composable/component/host.json +++ b/generated/elasticsearch/composable/component/host.json @@ -96,6 +96,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -271,280 +274,6 @@ } } }, - "target": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity": { - "properties": { - "attributes": { - "type": "object" - }, - "behavior": { - "type": "object" - }, - "display_name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_seen_timestamp": { - "type": "date" - }, - "lifecycle": { - "type": "object" - }, - "metrics": { - "type": "object" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "raw": { - "type": "object" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "synthetic_source_keep": "none", - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, "type": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json index 0d6c366800..b1e8bcd66f 100644 --- a/generated/elasticsearch/composable/component/orchestrator.json +++ b/generated/elasticsearch/composable/component/orchestrator.json @@ -78,6 +78,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json index aa40e8cd03..183813006c 100644 --- a/generated/elasticsearch/composable/component/service.json +++ b/generated/elasticsearch/composable/component/service.json @@ -58,6 +58,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -157,6 +160,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -274,6 +280,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json index b30af1dfa1..e29f52b310 100644 --- a/generated/elasticsearch/composable/component/user.json +++ b/generated/elasticsearch/composable/component/user.json @@ -64,6 +64,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -211,6 +214,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -348,6 +354,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -489,6 +498,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 6b7846c9f1..6dd658cb1d 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -294,6 +294,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -392,6 +395,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -548,6 +554,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -1430,6 +1439,33 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -1484,6 +1520,33 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -2492,6 +2555,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -2667,280 +2733,6 @@ } } }, - "target": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity": { - "properties": { - "attributes": { - "type": "object" - }, - "behavior": { - "type": "object" - }, - "display_name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_seen_timestamp": { - "type": "date" - }, - "lifecycle": { - "type": "object" - }, - "metrics": { - "type": "object" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "raw": { - "type": "object" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "synthetic_source_keep": "none", - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, "type": { "ignore_above": 1024, "type": "keyword" @@ -3472,6 +3264,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -5841,6 +5636,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -5940,6 +5738,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -6057,6 +5858,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -8708,6 +8512,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -8855,6 +8662,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -8992,6 +8802,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" @@ -9133,6 +8946,9 @@ "ignore_above": 1024, "type": "keyword" }, + "relationship": { + "type": "object" + }, "source": { "ignore_above": 1024, "type": "keyword" From 06c6f5887668c416bc3e0fb8078b24da20c4d7ea Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Thu, 8 Jan 2026 13:54:52 +0200 Subject: [PATCH 3/6] Restore host.target reusable section and regenerate artifacts - Restore the reusable section for host.target that enables host.target.* fields - Regenerate all artifacts including documentation, CSV, YAML, and Elasticsearch templates --- docs/reference/ecs-host.md | 9 + generated/beats/fields.ecs.yml | 466 ++++++++++ generated/csv/fields.csv | 60 ++ generated/ecs/ecs_flat.yml | 835 +++++++++++++++++ generated/ecs/ecs_nested.yml | 855 ++++++++++++++++++ .../composable/component/host.json | 277 ++++++ generated/elasticsearch/legacy/template.json | 277 ++++++ schemas/host.yml | 6 + 8 files changed, 2785 insertions(+) diff --git a/docs/reference/ecs-host.md b/docs/reference/ecs-host.md index 51705caaf2..149973c386 100644 --- a/docs/reference/ecs-host.md +++ b/docs/reference/ecs-host.md @@ -36,6 +36,14 @@ ECS host.* fields should be populated with details about the host on which the e | $$$field-host-type$$$ [host.type](#field-host-type) | Type of host.

For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.

type: keyword

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-type) | core | | $$$field-host-uptime$$$ [host.uptime](#field-host-uptime) | Seconds the host has been up.

type: long

example: `1325`

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.uptime+--%3E%22&type=code) | extended | +## Field reuse [_field_reuse] + +The `host` fields are expected to be nested at: + +* `host.target` + +Note also that the `host` fields may be used directly at the root of the events. + ### Field sets that can be nested under Host [ecs-host-nestings] @@ -45,3 +53,4 @@ ECS host.* fields should be populated with details about the host on which the e | `host.geo.*` | [geo](/reference/ecs-geo.md) | Fields describing a location. | | `host.os.*` | [os](/reference/ecs-os.md) | OS fields contain information about the operating system. | | `host.risk.*` | [risk](/reference/ecs-risk.md) | Fields for describing risk score and level. | +| `host.target.*` | [host](/reference/ecs-host.md) | Targeted host of action taken. | diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 2e089cf044..b65be24065 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -4883,6 +4883,472 @@ of 0 to 100. example: 83.0 default_field: false + - name: target.architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + default_field: false + - name: target.boot.id + level: extended + type: keyword + ignore_above: 1024 + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note + the boot_id value from /proc may or may not be the same in containers as on + the host. Some container runtimes will bind mount a new boot_id value onto + the proc file in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + default_field: false + - name: target.cpu.usage + level: extended + type: scaled_float + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + scaling_factor: 1000 + default_field: false + - name: target.disk.read.bytes + level: extended + type: long + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: target.disk.write.bytes + level: extended + type: long + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: target.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + default_field: false + - name: target.entity.attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: target.entity.behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.entity.display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: target.entity.id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: target.entity.last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: target.entity.lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.entity.metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: target.entity.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: target.entity.raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: target.entity.reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: target.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false + - name: target.entity.source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: target.entity.sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: target.entity.type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' + example: host + default_field: false + - name: target.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: target.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: target.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: target.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: target.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: target.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: target.geo.name + level: extended + type: keyword + ignore_above: 1024 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: target.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: target.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: target.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: target.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: target.hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + default_field: false + - name: target.ip + level: core + type: ip + description: Host ip addresses. + default_field: false + - name: target.mac + level: core + type: keyword + ignore_above: 1024 + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + default_field: false + - name: target.name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified + domain name (FQDN), or a name specified by the user. The recommended value + is the lowercase FQDN of the host.' + default_field: false + - name: target.network.egress.bytes + level: extended + type: long + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.egress.packets + level: extended + type: long + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.ingress.bytes + level: extended + type: long + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.ingress.packets + level: extended + type: long + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + default_field: false + - name: target.os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Operating system name, including the version or code name. + example: Mac OS Mojave + default_field: false + - name: target.os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + default_field: false + - name: target.os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Operating system name, without the version. + example: Mac OS X + default_field: false + - name: target.os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + default_field: false + - name: target.os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field + should not be populated. Please let us know by opening an issue with ECS, + to propose its addition.' + example: macos + default_field: false + - name: target.os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + default_field: false + - name: target.pid_ns_ino + level: extended + type: keyword + ignore_above: 1024 + description: This is the inode number of the namespace in the namespace file + system (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + default_field: false + - name: target.risk.calculated_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + default_field: false + - name: target.risk.calculated_score + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + default_field: false + - name: target.risk.calculated_score_norm + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + default_field: false + - name: target.risk.static_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + default_field: false + - name: target.risk.static_score + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + default_field: false + - name: target.risk.static_score_norm + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + default_field: false + - name: target.type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + default_field: false + - name: target.uptime + level: extended + type: long + description: Seconds the host has been up. + example: 1325 + default_field: false - name: type level: core type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 1afd91b4e4..b8f17f166b 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -602,6 +602,66 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.4.0-dev,true,host,host.target.architecture,keyword,core,,x86_64,Operating system architecture. +9.4.0-dev,true,host,host.target.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +9.4.0-dev,true,host,host.target.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.4.0-dev,true,host,host.target.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.4.0-dev,true,host,host.target.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.4.0-dev,true,host,host.target.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +9.4.0-dev,true,host,host.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.4.0-dev,true,host,host.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.4.0-dev,true,host,host.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.4.0-dev,true,host,host.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.4.0-dev,true,host,host.target.entity.id,keyword,core,,,Unique identifier for the entity. +9.4.0-dev,true,host,host.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.4.0-dev,true,host,host.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.4.0-dev,true,host,host.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.4.0-dev,true,host,host.target.entity.name,keyword,core,,,The name of the entity. +9.4.0-dev,true,host,host.target.entity.name.text,match_only_text,core,,,The name of the entity. +9.4.0-dev,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." +9.4.0-dev,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev,true,host,host.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. +9.4.0-dev,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.4.0-dev,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. +9.4.0-dev,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name. +9.4.0-dev,true,host,host.target.geo.continent_code,keyword,core,,NA,Continent code. +9.4.0-dev,true,host,host.target.geo.continent_name,keyword,core,,North America,Name of the continent. +9.4.0-dev,true,host,host.target.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.4.0-dev,true,host,host.target.geo.country_name,keyword,core,,Canada,Country name. +9.4.0-dev,true,host,host.target.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.4.0-dev,true,host,host.target.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.4.0-dev,true,host,host.target.geo.postal_code,keyword,core,,94040,Postal code. +9.4.0-dev,true,host,host.target.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.4.0-dev,true,host,host.target.geo.region_name,keyword,core,,Quebec,Region name. +9.4.0-dev,true,host,host.target.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.4.0-dev,true,host,host.target.hostname,keyword,core,,,Hostname of the host. +9.4.0-dev,true,host,host.target.id,keyword,core,,,Unique host id. +9.4.0-dev,true,host,host.target.ip,ip,core,array,,Host ip addresses. +9.4.0-dev,true,host,host.target.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +9.4.0-dev,true,host,host.target.name,keyword,core,,,Name of the host. +9.4.0-dev,true,host,host.target.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.4.0-dev,true,host,host.target.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +9.4.0-dev,true,host,host.target.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.4.0-dev,true,host,host.target.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +9.4.0-dev,true,host,host.target.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.4.0-dev,true,host,host.target.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.4.0-dev,true,host,host.target.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.4.0-dev,true,host,host.target.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.4.0-dev,true,host,host.target.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.4.0-dev,true,host,host.target.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.4.0-dev,true,host,host.target.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.4.0-dev,true,host,host.target.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.4.0-dev,true,host,host.target.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.4.0-dev,true,host,host.target.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +9.4.0-dev,true,host,host.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev,true,host,host.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev,true,host,host.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.4.0-dev,true,host,host.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev,true,host,host.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev,true,host,host.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.4.0-dev,true,host,host.target.type,keyword,core,,,Type of host. +9.4.0-dev,true,host,host.target.uptime,long,extended,,1325,Seconds the host has been up. 9.4.0-dev,true,host,host.type,keyword,core,,,Type of host. 9.4.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 9.4.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 015039b5fd..0bfc59e0db 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8716,6 +8716,841 @@ host.risk.static_score_norm: original_fieldset: risk short: A normalized risk score calculated by an external system. type: float +host.target.architecture: + dashed_name: host-target-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.target.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + original_fieldset: host + short: Operating system architecture. + type: keyword +host.target.boot.id: + dashed_name: host-target-boot-id + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the + boot_id value from /proc may or may not be the same in containers as on the host. + Some container runtimes will bind mount a new boot_id value onto the proc file + in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + flat_name: host.target.boot.id + ignore_above: 1024 + level: extended + name: boot.id + normalize: [] + original_fieldset: host + short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id + type: keyword +host.target.cpu.usage: + dashed_name: host-target-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores and + it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the two + cores, between 0 and 1.' + flat_name: host.target.cpu.usage + level: extended + name: cpu.usage + normalize: [] + original_fieldset: host + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float +host.target.disk.read.bytes: + dashed_name: host-target-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated from + all disks) since the last metric collection. + flat_name: host.target.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + original_fieldset: host + short: The number of bytes read by all disks. + type: long +host.target.disk.write.bytes: + dashed_name: host-target-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + original_fieldset: host + short: The number of bytes written on all disks. + type: long +host.target.domain: + dashed_name: host-target-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS + domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + flat_name: host.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: host + short: Name of the directory the group is a member of. + type: keyword +host.target.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: host.target.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +host.target.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: host.target.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +host.target.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: host.target.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +host.target.entity.id: + dashed_name: host-target-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: host.target.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +host.target.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: host.target.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +host.target.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +host.target.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: host.target.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +host.target.entity.name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: host.target.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: host.target.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +host.target.entity.raw: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: host.target.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +host.target.entity.reference: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: host.target.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +host.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object +host.target.entity.source: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: host.target.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +host.target.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: host.target.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +host.target.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: host-target-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' + example: host + flat_name: host.target.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +host.target.geo.city_name: + dashed_name: host-target-geo-city-name + description: City name. + example: Montreal + flat_name: host.target.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +host.target.geo.continent_code: + dashed_name: host-target-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.target.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +host.target.geo.continent_name: + dashed_name: host-target-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.target.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +host.target.geo.country_iso_code: + dashed_name: host-target-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.target.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +host.target.geo.country_name: + dashed_name: host-target-geo-country-name + description: Country name. + example: Canada + flat_name: host.target.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +host.target.geo.location: + dashed_name: host-target-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.target.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +host.target.geo.name: + dashed_name: host-target-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.target.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +host.target.geo.postal_code: + dashed_name: host-target-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.target.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +host.target.geo.region_iso_code: + dashed_name: host-target-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.target.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +host.target.geo.region_name: + dashed_name: host-target-geo-region-name + description: Region name. + example: Quebec + flat_name: host.target.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +host.target.geo.timezone: + dashed_name: host-target-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.target.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +host.target.hostname: + dashed_name: host-target-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.target.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + original_fieldset: host + short: Hostname of the host. + type: keyword +host.target.id: + dashed_name: host-target-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: host + short: Unique host id. + type: keyword +host.target.ip: + dashed_name: host-target-ip + description: Host ip addresses. + flat_name: host.target.ip + level: core + name: ip + normalize: + - array + original_fieldset: host + short: Host ip addresses. + synthetic_source_keep: none + type: ip +host.target.mac: + dashed_name: host-target-mac + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + flat_name: host.target.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + original_fieldset: host + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: Host MAC addresses. + synthetic_source_keep: none + type: keyword +host.target.name: + dashed_name: host-target-name + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified domain + name (FQDN), or a name specified by the user. The recommended value is the lowercase + FQDN of the host.' + flat_name: host.target.name + ignore_above: 1024 + level: core + name: name + normalize: [] + original_fieldset: host + short: Name of the host. + type: keyword +host.target.network.egress.bytes: + dashed_name: host-target-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + flat_name: host.target.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes sent on all network interfaces. + type: long +host.target.network.egress.packets: + dashed_name: host-target-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces by + the host since the last metric collection. + flat_name: host.target.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + original_fieldset: host + short: The number of packets sent on all network interfaces. + type: long +host.target.network.ingress.bytes: + dashed_name: host-target-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + flat_name: host.target.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes received on all network interfaces. + type: long +host.target.network.ingress.packets: + dashed_name: host-target-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces by + the host since the last metric collection. + flat_name: host.target.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + original_fieldset: host + short: The number of packets received on all network interfaces. + type: long +host.target.os.family: + dashed_name: host-target-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.target.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword +host.target.os.full: + dashed_name: host-target-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.target.os.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.full.text + name: text + type: match_only_text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: keyword +host.target.os.kernel: + dashed_name: host-target-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.target.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword +host.target.os.name: + dashed_name: host-target-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.target.os.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: keyword +host.target.os.platform: + dashed_name: host-target-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.target.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword +host.target.os.type: + dashed_name: host-target-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' + example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android + flat_name: host.target.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' + type: keyword +host.target.os.version: + dashed_name: host-target-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.target.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword +host.target.pid_ns_ino: + dashed_name: host-target-pid-ns-ino + description: This is the inode number of the namespace in the namespace file system + (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + flat_name: host.target.pid_ns_ino + ignore_above: 1024 + level: extended + name: pid_ns_ino + normalize: [] + original_fieldset: host + short: Pid namespace inode + type: keyword +host.target.risk.calculated_level: + dashed_name: host-target-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: host.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +host.target.risk.calculated_score: + dashed_name: host-target-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: host.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +host.target.risk.calculated_score_norm: + dashed_name: host-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: host.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +host.target.risk.static_level: + dashed_name: host-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: host.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +host.target.risk.static_score: + dashed_name: host-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: host.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +host.target.risk.static_score_norm: + dashed_name: host-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: host.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +host.target.type: + dashed_name: host-target-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this + could be the container, for example, or other information meaningful in your environment.' + flat_name: host.target.type + ignore_above: 1024 + level: core + name: type + normalize: [] + original_fieldset: host + short: Type of host. + type: keyword +host.target.uptime: + dashed_name: host-target-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.target.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: host + short: Seconds the host has been up. + type: long host.type: dashed_name: host-type description: 'Type of host. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index d8e8e724e6..bcb2dfc661 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10284,6 +10284,850 @@ host: original_fieldset: risk short: A normalized risk score calculated by an external system. type: float + host.target.architecture: + dashed_name: host-target-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.target.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + original_fieldset: host + short: Operating system architecture. + type: keyword + host.target.boot.id: + dashed_name: host-target-boot-id + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note + the boot_id value from /proc may or may not be the same in containers as on + the host. Some container runtimes will bind mount a new boot_id value onto + the proc file in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + flat_name: host.target.boot.id + ignore_above: 1024 + level: extended + name: boot.id + normalize: [] + original_fieldset: host + short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id + type: keyword + host.target.cpu.usage: + dashed_name: host-target-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + flat_name: host.target.cpu.usage + level: extended + name: cpu.usage + normalize: [] + original_fieldset: host + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float + host.target.disk.read.bytes: + dashed_name: host-target-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + original_fieldset: host + short: The number of bytes read by all disks. + type: long + host.target.disk.write.bytes: + dashed_name: host-target-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + original_fieldset: host + short: The number of bytes written on all disks. + type: long + host.target.domain: + dashed_name: host-target-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + flat_name: host.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: host + short: Name of the directory the group is a member of. + type: keyword + host.target.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: host.target.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + host.target.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + host.target.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: host.target.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + host.target.entity.id: + dashed_name: host-target-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: host.target.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + host.target.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: host.target.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + host.target.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + host.target.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: host.target.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + host.target.entity.name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: host.target.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: host.target.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + host.target.entity.raw: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: host.target.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + host.target.entity.reference: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: host.target.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + host.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: host.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object + host.target.entity.source: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: host.target.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + host.target.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: host.target.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + host.target.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: host-target-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' + example: host + flat_name: host.target.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + host.target.geo.city_name: + dashed_name: host-target-geo-city-name + description: City name. + example: Montreal + flat_name: host.target.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + host.target.geo.continent_code: + dashed_name: host-target-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.target.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + host.target.geo.continent_name: + dashed_name: host-target-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.target.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + host.target.geo.country_iso_code: + dashed_name: host-target-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.target.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + host.target.geo.country_name: + dashed_name: host-target-geo-country-name + description: Country name. + example: Canada + flat_name: host.target.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + host.target.geo.location: + dashed_name: host-target-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.target.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + host.target.geo.name: + dashed_name: host-target-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.target.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + host.target.geo.postal_code: + dashed_name: host-target-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.target.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + host.target.geo.region_iso_code: + dashed_name: host-target-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.target.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + host.target.geo.region_name: + dashed_name: host-target-geo-region-name + description: Region name. + example: Quebec + flat_name: host.target.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + host.target.geo.timezone: + dashed_name: host-target-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.target.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + host.target.hostname: + dashed_name: host-target-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.target.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + original_fieldset: host + short: Hostname of the host. + type: keyword + host.target.id: + dashed_name: host-target-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: host + short: Unique host id. + type: keyword + host.target.ip: + dashed_name: host-target-ip + description: Host ip addresses. + flat_name: host.target.ip + level: core + name: ip + normalize: + - array + original_fieldset: host + short: Host ip addresses. + synthetic_source_keep: none + type: ip + host.target.mac: + dashed_name: host-target-mac + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + flat_name: host.target.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + original_fieldset: host + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: Host MAC addresses. + synthetic_source_keep: none + type: keyword + host.target.name: + dashed_name: host-target-name + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified + domain name (FQDN), or a name specified by the user. The recommended value + is the lowercase FQDN of the host.' + flat_name: host.target.name + ignore_above: 1024 + level: core + name: name + normalize: [] + original_fieldset: host + short: Name of the host. + type: keyword + host.target.network.egress.bytes: + dashed_name: host-target-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes sent on all network interfaces. + type: long + host.target.network.egress.packets: + dashed_name: host-target-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + original_fieldset: host + short: The number of packets sent on all network interfaces. + type: long + host.target.network.ingress.bytes: + dashed_name: host-target-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes received on all network interfaces. + type: long + host.target.network.ingress.packets: + dashed_name: host-target-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + original_fieldset: host + short: The number of packets received on all network interfaces. + type: long + host.target.os.family: + dashed_name: host-target-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.target.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword + host.target.os.full: + dashed_name: host-target-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.target.os.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.full.text + name: text + type: match_only_text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: keyword + host.target.os.kernel: + dashed_name: host-target-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.target.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword + host.target.os.name: + dashed_name: host-target-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.target.os.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: keyword + host.target.os.platform: + dashed_name: host-target-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.target.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword + host.target.os.type: + dashed_name: host-target-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field + should not be populated. Please let us know by opening an issue with ECS, + to propose its addition.' + example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android + flat_name: host.target.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios + or android).' + type: keyword + host.target.os.version: + dashed_name: host-target-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.target.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword + host.target.pid_ns_ino: + dashed_name: host-target-pid-ns-ino + description: This is the inode number of the namespace in the namespace file + system (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + flat_name: host.target.pid_ns_ino + ignore_above: 1024 + level: extended + name: pid_ns_ino + normalize: [] + original_fieldset: host + short: Pid namespace inode + type: keyword + host.target.risk.calculated_level: + dashed_name: host-target-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: host.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + host.target.risk.calculated_score: + dashed_name: host-target-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: host.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + host.target.risk.calculated_score_norm: + dashed_name: host-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: host.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + host.target.risk.static_level: + dashed_name: host-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: host.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + host.target.risk.static_score: + dashed_name: host-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: host.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + host.target.risk.static_score_norm: + dashed_name: host-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: host.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + host.target.type: + dashed_name: host-target-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + flat_name: host.target.type + ignore_above: 1024 + level: core + name: type + normalize: [] + original_fieldset: host + short: Type of host. + type: keyword + host.target.uptime: + dashed_name: host-target-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.target.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: host + short: Seconds the host has been up. + type: long host.type: dashed_name: host-type description: 'Type of host. @@ -10322,7 +11166,15 @@ host: - host.geo - host.os - host.risk + - host.target prefix: host. + reusable: + expected: + - as: target + at: host + full: host.target + short_override: Targeted host of action taken. + top_level: true reused_here: - full: host.entity schema_name: entity @@ -10336,6 +11188,9 @@ host: - full: host.risk schema_name: risk short: Fields for describing risk score and level. + - full: host.target + schema_name: host + short: Targeted host of action taken. short: Fields describing the relevant computing instance. title: Host type: group diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json index 13dc2d1f63..858da2f5c0 100644 --- a/generated/elasticsearch/composable/component/host.json +++ b/generated/elasticsearch/composable/component/host.json @@ -274,6 +274,283 @@ } } }, + "target": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "relationship": { + "type": "object" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "synthetic_source_keep": "none", + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, "type": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 6dd658cb1d..d7c0fb8b98 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -2733,6 +2733,283 @@ } } }, + "target": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "relationship": { + "type": "object" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "synthetic_source_keep": "none", + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, "type": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/host.yml b/schemas/host.yml index 2782b569c7..2d33b05b78 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -25,6 +25,12 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + reusable: + top_level: true + expected: + - at: host + as: target + short_override: Targeted host of action taken. type: group fields: - name: hostname From 5d94c5f6c8b1078141ab2d6366b3c35cfbf675f0 Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Thu, 8 Jan 2026 13:59:29 +0200 Subject: [PATCH 4/6] Update experimental generated files with host.target changes --- experimental/generated/beats/fields.ecs.yml | 466 ++++++++++ experimental/generated/csv/fields.csv | 60 ++ experimental/generated/ecs/ecs_flat.yml | 835 +++++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 855 ++++++++++++++++++ .../composable/component/host.json | 277 ++++++ .../elasticsearch/legacy/template.json | 277 ++++++ 6 files changed, 2770 insertions(+) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index f85636c3e6..6eded2343f 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -4933,6 +4933,472 @@ of 0 to 100. example: 83.0 default_field: false + - name: target.architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + default_field: false + - name: target.boot.id + level: extended + type: keyword + ignore_above: 1024 + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note + the boot_id value from /proc may or may not be the same in containers as on + the host. Some container runtimes will bind mount a new boot_id value onto + the proc file in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + default_field: false + - name: target.cpu.usage + level: extended + type: scaled_float + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + scaling_factor: 1000 + default_field: false + - name: target.disk.read.bytes + level: extended + type: long + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: target.disk.write.bytes + level: extended + type: long + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: target.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + default_field: false + - name: target.entity.attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: target.entity.behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.entity.display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: target.entity.id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: target.entity.last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: target.entity.lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.entity.metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: target.entity.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: target.entity.raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: target.entity.reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: target.entity.relationship + level: extended + type: object + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + default_field: false + - name: target.entity.source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: target.entity.sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: target.entity.type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' + example: host + default_field: false + - name: target.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: target.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: target.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: target.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: target.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: target.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: target.geo.name + level: extended + type: keyword + ignore_above: 1024 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: target.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: target.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: target.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: target.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: target.hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + default_field: false + - name: target.ip + level: core + type: ip + description: Host ip addresses. + default_field: false + - name: target.mac + level: core + type: keyword + ignore_above: 1024 + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + default_field: false + - name: target.name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified + domain name (FQDN), or a name specified by the user. The recommended value + is the lowercase FQDN of the host.' + default_field: false + - name: target.network.egress.bytes + level: extended + type: long + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.egress.packets + level: extended + type: long + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.ingress.bytes + level: extended + type: long + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.network.ingress.packets + level: extended + type: long + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + default_field: false + - name: target.os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + default_field: false + - name: target.os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Operating system name, including the version or code name. + example: Mac OS Mojave + default_field: false + - name: target.os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + default_field: false + - name: target.os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Operating system name, without the version. + example: Mac OS X + default_field: false + - name: target.os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + default_field: false + - name: target.os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field + should not be populated. Please let us know by opening an issue with ECS, + to propose its addition.' + example: macos + default_field: false + - name: target.os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + default_field: false + - name: target.pid_ns_ino + level: extended + type: keyword + ignore_above: 1024 + description: This is the inode number of the namespace in the namespace file + system (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + default_field: false + - name: target.risk.calculated_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + default_field: false + - name: target.risk.calculated_score + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + default_field: false + - name: target.risk.calculated_score_norm + level: extended + type: float + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + default_field: false + - name: target.risk.static_level + level: extended + type: keyword + ignore_above: 1024 + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + default_field: false + - name: target.risk.static_score + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + default_field: false + - name: target.risk.static_score_norm + level: extended + type: float + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + default_field: false + - name: target.type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + default_field: false + - name: target.uptime + level: extended + type: long + description: Seconds the host has been up. + example: 1325 + default_field: false - name: type level: core type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 15b5782c08..96e79ebfcd 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -609,6 +609,66 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.4.0-dev+exp,true,host,host.target.architecture,keyword,core,,x86_64,Operating system architecture. +9.4.0-dev+exp,true,host,host.target.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +9.4.0-dev+exp,true,host,host.target.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.4.0-dev+exp,true,host,host.target.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.4.0-dev+exp,true,host,host.target.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.4.0-dev+exp,true,host,host.target.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +9.4.0-dev+exp,true,host,host.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.4.0-dev+exp,true,host,host.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.4.0-dev+exp,true,host,host.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.4.0-dev+exp,true,host,host.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.4.0-dev+exp,true,host,host.target.entity.id,keyword,core,,,Unique identifier for the entity. +9.4.0-dev+exp,true,host,host.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.4.0-dev+exp,true,host,host.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.4.0-dev+exp,true,host,host.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.4.0-dev+exp,true,host,host.target.entity.name,keyword,core,,,The name of the entity. +9.4.0-dev+exp,true,host,host.target.entity.name.text,match_only_text,core,,,The name of the entity. +9.4.0-dev+exp,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." +9.4.0-dev+exp,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.4.0-dev+exp,true,host,host.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. +9.4.0-dev+exp,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.4.0-dev+exp,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. +9.4.0-dev+exp,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name. +9.4.0-dev+exp,true,host,host.target.geo.continent_code,keyword,core,,NA,Continent code. +9.4.0-dev+exp,true,host,host.target.geo.continent_name,keyword,core,,North America,Name of the continent. +9.4.0-dev+exp,true,host,host.target.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.4.0-dev+exp,true,host,host.target.geo.country_name,keyword,core,,Canada,Country name. +9.4.0-dev+exp,true,host,host.target.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.4.0-dev+exp,true,host,host.target.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.4.0-dev+exp,true,host,host.target.geo.postal_code,keyword,core,,94040,Postal code. +9.4.0-dev+exp,true,host,host.target.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.4.0-dev+exp,true,host,host.target.geo.region_name,keyword,core,,Quebec,Region name. +9.4.0-dev+exp,true,host,host.target.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.4.0-dev+exp,true,host,host.target.hostname,keyword,core,,,Hostname of the host. +9.4.0-dev+exp,true,host,host.target.id,keyword,core,,,Unique host id. +9.4.0-dev+exp,true,host,host.target.ip,ip,core,array,,Host ip addresses. +9.4.0-dev+exp,true,host,host.target.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +9.4.0-dev+exp,true,host,host.target.name,keyword,core,,,Name of the host. +9.4.0-dev+exp,true,host,host.target.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.4.0-dev+exp,true,host,host.target.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +9.4.0-dev+exp,true,host,host.target.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.4.0-dev+exp,true,host,host.target.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +9.4.0-dev+exp,true,host,host.target.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.4.0-dev+exp,true,host,host.target.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.4.0-dev+exp,true,host,host.target.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.4.0-dev+exp,true,host,host.target.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.4.0-dev+exp,true,host,host.target.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.4.0-dev+exp,true,host,host.target.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.4.0-dev+exp,true,host,host.target.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.4.0-dev+exp,true,host,host.target.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.4.0-dev+exp,true,host,host.target.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.4.0-dev+exp,true,host,host.target.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +9.4.0-dev+exp,true,host,host.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev+exp,true,host,host.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.4.0-dev+exp,true,host,host.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.4.0-dev+exp,true,host,host.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev+exp,true,host,host.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.4.0-dev+exp,true,host,host.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.4.0-dev+exp,true,host,host.target.type,keyword,core,,,Type of host. +9.4.0-dev+exp,true,host,host.target.uptime,long,extended,,1325,Seconds the host has been up. 9.4.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. 9.4.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 9.4.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 75da8fbdb2..753b1bf8ee 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -8785,6 +8785,841 @@ host.risk.static_score_norm: original_fieldset: risk short: A normalized risk score calculated by an external system. type: float +host.target.architecture: + dashed_name: host-target-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.target.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + original_fieldset: host + short: Operating system architecture. + type: keyword +host.target.boot.id: + dashed_name: host-target-boot-id + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the + boot_id value from /proc may or may not be the same in containers as on the host. + Some container runtimes will bind mount a new boot_id value onto the proc file + in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + flat_name: host.target.boot.id + ignore_above: 1024 + level: extended + name: boot.id + normalize: [] + original_fieldset: host + short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id + type: keyword +host.target.cpu.usage: + dashed_name: host-target-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores and + it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the two + cores, between 0 and 1.' + flat_name: host.target.cpu.usage + level: extended + name: cpu.usage + normalize: [] + original_fieldset: host + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float +host.target.disk.read.bytes: + dashed_name: host-target-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated from + all disks) since the last metric collection. + flat_name: host.target.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + original_fieldset: host + short: The number of bytes read by all disks. + type: long +host.target.disk.write.bytes: + dashed_name: host-target-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + original_fieldset: host + short: The number of bytes written on all disks. + type: long +host.target.domain: + dashed_name: host-target-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS + domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + flat_name: host.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: host + short: Name of the directory the group is a member of. + type: keyword +host.target.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: host.target.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +host.target.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: host.target.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +host.target.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: host.target.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +host.target.entity.id: + dashed_name: host-target-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: host.target.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +host.target.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: host.target.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +host.target.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +host.target.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: host.target.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +host.target.entity.name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: host.target.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: host.target.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +host.target.entity.raw: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: host.target.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +host.target.entity.reference: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: host.target.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +host.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-relationship + description: The structure and content of this field set may differ depending on + the entity type. Use this field set when you need to track relationship characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object +host.target.entity.source: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: host.target.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +host.target.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: host.target.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +host.target.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: host-target-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' + example: host + flat_name: host.target.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +host.target.geo.city_name: + dashed_name: host-target-geo-city-name + description: City name. + example: Montreal + flat_name: host.target.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +host.target.geo.continent_code: + dashed_name: host-target-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.target.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +host.target.geo.continent_name: + dashed_name: host-target-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.target.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +host.target.geo.country_iso_code: + dashed_name: host-target-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.target.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +host.target.geo.country_name: + dashed_name: host-target-geo-country-name + description: Country name. + example: Canada + flat_name: host.target.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +host.target.geo.location: + dashed_name: host-target-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.target.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +host.target.geo.name: + dashed_name: host-target-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.target.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +host.target.geo.postal_code: + dashed_name: host-target-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.target.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +host.target.geo.region_iso_code: + dashed_name: host-target-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.target.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +host.target.geo.region_name: + dashed_name: host-target-geo-region-name + description: Region name. + example: Quebec + flat_name: host.target.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +host.target.geo.timezone: + dashed_name: host-target-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.target.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +host.target.hostname: + dashed_name: host-target-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.target.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + original_fieldset: host + short: Hostname of the host. + type: keyword +host.target.id: + dashed_name: host-target-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: host + short: Unique host id. + type: keyword +host.target.ip: + dashed_name: host-target-ip + description: Host ip addresses. + flat_name: host.target.ip + level: core + name: ip + normalize: + - array + original_fieldset: host + short: Host ip addresses. + synthetic_source_keep: none + type: ip +host.target.mac: + dashed_name: host-target-mac + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + flat_name: host.target.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + original_fieldset: host + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: Host MAC addresses. + synthetic_source_keep: none + type: keyword +host.target.name: + dashed_name: host-target-name + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified domain + name (FQDN), or a name specified by the user. The recommended value is the lowercase + FQDN of the host.' + flat_name: host.target.name + ignore_above: 1024 + level: core + name: name + normalize: [] + original_fieldset: host + short: Name of the host. + type: keyword +host.target.network.egress.bytes: + dashed_name: host-target-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + flat_name: host.target.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes sent on all network interfaces. + type: long +host.target.network.egress.packets: + dashed_name: host-target-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces by + the host since the last metric collection. + flat_name: host.target.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + original_fieldset: host + short: The number of packets sent on all network interfaces. + type: long +host.target.network.ingress.bytes: + dashed_name: host-target-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + flat_name: host.target.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes received on all network interfaces. + type: long +host.target.network.ingress.packets: + dashed_name: host-target-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces by + the host since the last metric collection. + flat_name: host.target.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + original_fieldset: host + short: The number of packets received on all network interfaces. + type: long +host.target.os.family: + dashed_name: host-target-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.target.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword +host.target.os.full: + dashed_name: host-target-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.target.os.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.full.text + name: text + type: match_only_text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: keyword +host.target.os.kernel: + dashed_name: host-target-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.target.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword +host.target.os.name: + dashed_name: host-target-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.target.os.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: keyword +host.target.os.platform: + dashed_name: host-target-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.target.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword +host.target.os.type: + dashed_name: host-target-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' + example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android + flat_name: host.target.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' + type: keyword +host.target.os.version: + dashed_name: host-target-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.target.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword +host.target.pid_ns_ino: + dashed_name: host-target-pid-ns-ino + description: This is the inode number of the namespace in the namespace file system + (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + flat_name: host.target.pid_ns_ino + ignore_above: 1024 + level: extended + name: pid_ns_ino + normalize: [] + original_fieldset: host + short: Pid namespace inode + type: keyword +host.target.risk.calculated_level: + dashed_name: host-target-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: host.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +host.target.risk.calculated_score: + dashed_name: host-target-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: host.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +host.target.risk.calculated_score_norm: + dashed_name: host-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: host.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +host.target.risk.static_level: + dashed_name: host-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: host.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +host.target.risk.static_score: + dashed_name: host-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: host.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +host.target.risk.static_score_norm: + dashed_name: host-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: host.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +host.target.type: + dashed_name: host-target-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this + could be the container, for example, or other information meaningful in your environment.' + flat_name: host.target.type + ignore_above: 1024 + level: core + name: type + normalize: [] + original_fieldset: host + short: Type of host. + type: keyword +host.target.uptime: + dashed_name: host-target-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.target.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: host + short: Seconds the host has been up. + type: long host.type: dashed_name: host-type description: 'Type of host. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 15f3a7e717..95e5fa4f4a 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -10364,6 +10364,850 @@ host: original_fieldset: risk short: A normalized risk score calculated by an external system. type: float + host.target.architecture: + dashed_name: host-target-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.target.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + original_fieldset: host + short: Operating system architecture. + type: keyword + host.target.boot.id: + dashed_name: host-target-boot-id + description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note + the boot_id value from /proc may or may not be the same in containers as on + the host. Some container runtimes will bind mount a new boot_id value onto + the proc file in each container. + example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 + flat_name: host.target.boot.id + ignore_above: 1024 + level: extended + name: boot.id + normalize: [] + original_fieldset: host + short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id + type: keyword + host.target.cpu.usage: + dashed_name: host-target-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + flat_name: host.target.cpu.usage + level: extended + name: cpu.usage + normalize: [] + original_fieldset: host + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float + host.target.disk.read.bytes: + dashed_name: host-target-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + original_fieldset: host + short: The number of bytes read by all disks. + type: long + host.target.disk.write.bytes: + dashed_name: host-target-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.target.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + original_fieldset: host + short: The number of bytes written on all disks. + type: long + host.target.domain: + dashed_name: host-target-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + flat_name: host.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: host + short: Name of the directory the group is a member of. + type: keyword + host.target.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: host.target.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + host.target.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + host.target.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: host.target.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + host.target.entity.id: + dashed_name: host-target-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: host.target.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + host.target.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: host.target.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + host.target.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: host.target.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + host.target.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: host.target.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + host.target.entity.name: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: host.target.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: host.target.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + host.target.entity.raw: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: host.target.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + host.target.entity.reference: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: host.target.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + host.target.entity.relationship: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-relationship + description: The structure and content of this field set may differ depending + on the entity type. Use this field set when you need to track relationship + characteristics of an entity for advanced searching and correlation of normalized + values across different providers/sources and entity types. + flat_name: host.target.entity.relationship + level: extended + name: relationship + normalize: [] + original_fieldset: entity + short: A set of relationship attributes that can vary between entity types. + type: object + host.target.entity.source: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: host.target.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + host.target.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: host-target-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: host.target.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + host.target.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: host-target-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' + example: host + flat_name: host.target.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + host.target.geo.city_name: + dashed_name: host-target-geo-city-name + description: City name. + example: Montreal + flat_name: host.target.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + host.target.geo.continent_code: + dashed_name: host-target-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.target.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + host.target.geo.continent_name: + dashed_name: host-target-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.target.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + host.target.geo.country_iso_code: + dashed_name: host-target-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.target.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + host.target.geo.country_name: + dashed_name: host-target-geo-country-name + description: Country name. + example: Canada + flat_name: host.target.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + host.target.geo.location: + dashed_name: host-target-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.target.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + host.target.geo.name: + dashed_name: host-target-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.target.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + host.target.geo.postal_code: + dashed_name: host-target-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.target.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + host.target.geo.region_iso_code: + dashed_name: host-target-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.target.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + host.target.geo.region_name: + dashed_name: host-target-geo-region-name + description: Region name. + example: Quebec + flat_name: host.target.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + host.target.geo.timezone: + dashed_name: host-target-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.target.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + host.target.hostname: + dashed_name: host-target-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.target.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + original_fieldset: host + short: Hostname of the host. + type: keyword + host.target.id: + dashed_name: host-target-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: host + short: Unique host id. + type: keyword + host.target.ip: + dashed_name: host-target-ip + description: Host ip addresses. + flat_name: host.target.ip + level: core + name: ip + normalize: + - array + original_fieldset: host + short: Host ip addresses. + synthetic_source_keep: none + type: ip + host.target.mac: + dashed_name: host-target-mac + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + flat_name: host.target.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + original_fieldset: host + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: Host MAC addresses. + synthetic_source_keep: none + type: keyword + host.target.name: + dashed_name: host-target-name + description: 'Name of the host. + + It can contain what hostname returns on Unix systems, the fully qualified + domain name (FQDN), or a name specified by the user. The recommended value + is the lowercase FQDN of the host.' + flat_name: host.target.name + ignore_above: 1024 + level: core + name: name + normalize: [] + original_fieldset: host + short: Name of the host. + type: keyword + host.target.network.egress.bytes: + dashed_name: host-target-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes sent on all network interfaces. + type: long + host.target.network.egress.packets: + dashed_name: host-target-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + original_fieldset: host + short: The number of packets sent on all network interfaces. + type: long + host.target.network.ingress.bytes: + dashed_name: host-target-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + original_fieldset: host + short: The number of bytes received on all network interfaces. + type: long + host.target.network.ingress.packets: + dashed_name: host-target-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + flat_name: host.target.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + original_fieldset: host + short: The number of packets received on all network interfaces. + type: long + host.target.os.family: + dashed_name: host-target-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.target.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword + host.target.os.full: + dashed_name: host-target-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.target.os.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.full.text + name: text + type: match_only_text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: keyword + host.target.os.kernel: + dashed_name: host-target-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.target.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword + host.target.os.name: + dashed_name: host-target-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.target.os.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: host.target.os.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: keyword + host.target.os.platform: + dashed_name: host-target-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.target.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword + host.target.os.type: + dashed_name: host-target-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + If the OS you''re dealing with is not listed as an expected value, the field + should not be populated. Please let us know by opening an issue with ECS, + to propose its addition.' + example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android + flat_name: host.target.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios + or android).' + type: keyword + host.target.os.version: + dashed_name: host-target-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.target.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword + host.target.pid_ns_ino: + dashed_name: host-target-pid-ns-ino + description: This is the inode number of the namespace in the namespace file + system (nsfs). Unsigned int inum in include/linux/ns_common.h. + example: 256383 + flat_name: host.target.pid_ns_ino + ignore_above: 1024 + level: extended + name: pid_ns_ino + normalize: [] + original_fieldset: host + short: Pid namespace inode + type: keyword + host.target.risk.calculated_level: + dashed_name: host-target-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: host.target.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + host.target.risk.calculated_score: + dashed_name: host-target-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: host.target.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + host.target.risk.calculated_score_norm: + dashed_name: host-target-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: host.target.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + host.target.risk.static_level: + dashed_name: host-target-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: host.target.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + host.target.risk.static_score: + dashed_name: host-target-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: host.target.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + host.target.risk.static_score_norm: + dashed_name: host-target-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: host.target.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + host.target.type: + dashed_name: host-target-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + flat_name: host.target.type + ignore_above: 1024 + level: core + name: type + normalize: [] + original_fieldset: host + short: Type of host. + type: keyword + host.target.uptime: + dashed_name: host-target-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.target.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: host + short: Seconds the host has been up. + type: long host.type: dashed_name: host-type description: 'Type of host. @@ -10402,7 +11246,15 @@ host: - host.geo - host.os - host.risk + - host.target prefix: host. + reusable: + expected: + - as: target + at: host + full: host.target + short_override: Targeted host of action taken. + top_level: true reused_here: - full: host.entity schema_name: entity @@ -10416,6 +11268,9 @@ host: - full: host.risk schema_name: risk short: Fields for describing risk score and level. + - full: host.target + schema_name: host + short: Targeted host of action taken. short: Fields describing the relevant computing instance. title: Host type: group diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json index 4c9f04cd17..c5b2e61f60 100644 --- a/experimental/generated/elasticsearch/composable/component/host.json +++ b/experimental/generated/elasticsearch/composable/component/host.json @@ -274,6 +274,283 @@ } } }, + "target": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "relationship": { + "type": "object" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "synthetic_source_keep": "none", + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, "type": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 2b7c6b9fc1..75ddf819c4 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -2775,6 +2775,283 @@ } } }, + "target": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "relationship": { + "type": "object" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "synthetic_source_keep": "none", + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, "type": { "ignore_above": 1024, "type": "keyword" From e505783e9751d7e3a40591afd68aa05d12633011 Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Wed, 18 Feb 2026 14:55:37 +0200 Subject: [PATCH 5/6] update entity.source to array --- docs/reference/ecs-entity.md | 2 +- experimental/generated/beats/fields.ecs.yml | 90 ++++++++----- experimental/generated/csv/fields.csv | 30 ++--- experimental/generated/ecs/ecs_flat.yml | 120 ++++++++++------- experimental/generated/ecs/ecs_nested.yml | 135 +++++++++++++------- generated/beats/fields.ecs.yml | 90 ++++++++----- generated/csv/fields.csv | 30 ++--- generated/ecs/ecs_flat.yml | 120 ++++++++++------- generated/ecs/ecs_nested.yml | 135 +++++++++++++------- schemas/entity.yml | 6 +- 10 files changed, 486 insertions(+), 272 deletions(-) diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md index 0205c0a8cb..4099acd804 100644 --- a/docs/reference/ecs-entity.md +++ b/docs/reference/ecs-entity.md @@ -26,7 +26,7 @@ The entity fields provide a standardized way to represent and categorize differe | $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.

type: object | extended | | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.

type: keyword | extended | | $$$field-entity-relationship$$$ [entity.relationship](#field-entity-relationship) | _This field is beta and subject to change._ The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.

type: object | extended | -| $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).

type: keyword | core | +| $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that supplied the data for this entity (similar to event.module). Because an entity can be built from more than one source (e.g., multiple logs or integrations), this field is an array: use one entry per source.

type: keyword

Note: This field should contain an array of values. | core | | $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.

type: keyword

example: `aws_s3_bucket` | extended | | $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 6eded2343f..6ed9f3bbda 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -612,8 +612,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -785,8 +787,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: origin.entity.sub_type level: extended @@ -1047,8 +1051,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.entity.sub_type level: extended @@ -2619,8 +2625,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: sub_type level: extended @@ -2781,8 +2789,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.sub_type level: extended @@ -4654,8 +4664,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -5087,8 +5099,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.entity.sub_type level: extended @@ -6306,8 +6320,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -10265,8 +10281,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -10506,8 +10524,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: origin.entity.sub_type level: extended @@ -10784,8 +10804,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.entity.sub_type level: extended @@ -15479,8 +15501,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: changes.entity.sub_type level: extended @@ -15739,8 +15763,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: effective.entity.sub_type level: extended @@ -15983,8 +16009,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -16231,8 +16259,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.entity.sub_type level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 96e79ebfcd..de1a13ac6a 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -70,7 +70,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,cloud,cloud.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,cloud,cloud.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. @@ -92,7 +92,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,cloud,cloud.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,cloud,cloud.origin.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. @@ -124,7 +124,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,cloud,cloud.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,cloud,cloud.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,cloud,cloud.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,cloud,cloud.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. @@ -312,7 +312,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,entity,entity.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev+exp,true,entity,entity.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev+exp,true,entity,entity.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.4.0-dev+exp,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,entity,entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity. 9.4.0-dev+exp,true,entity,entity.target.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." @@ -333,7 +333,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,entity,entity.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev+exp,true,entity,entity.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev+exp,true,entity,entity.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.4.0-dev+exp,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,entity,entity.target.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -570,7 +570,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,host,host.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,host,host.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,host,host.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,host,host.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. @@ -628,7 +628,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,host,host.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,host,host.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name. @@ -781,7 +781,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,orchestrator,orchestrator.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,orchestrator,orchestrator.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,orchestrator,orchestrator.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. @@ -1313,7 +1313,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,service,service.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,service,service.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service. @@ -1337,7 +1337,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,service,service.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,service,service.origin.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. @@ -1365,7 +1365,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,service,service.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,service,service.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,service,service.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,service,service.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service. @@ -1978,7 +1978,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,user,user.changes.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,user,user.changes.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." @@ -2013,7 +2013,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,user,user.effective.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,user,user.effective.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." @@ -2046,7 +2046,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,user,user.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,user,user.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." @@ -2080,7 +2080,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev+exp,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev+exp,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev+exp,true,user,user.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev+exp,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev+exp,true,user,user.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev+exp,true,user,user.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev+exp,true,user,user.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 753b1bf8ee..cd82da9489 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -864,13 +864,15 @@ cloud.entity.relationship: cloud.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: cloud.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -1211,13 +1213,15 @@ cloud.origin.entity.relationship: cloud.origin.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: cloud.origin.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -1704,13 +1708,15 @@ cloud.target.entity.relationship: cloud.target.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: cloud.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -4213,13 +4219,15 @@ entity.risk.static_score_norm: entity.source: beta: This field is beta and subject to change. dashed_name: entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array short: Source module or integration that provided the entity data. type: keyword entity.sub_type: @@ -4486,13 +4494,15 @@ entity.target.risk.static_score_norm: entity.target.source: beta: This field is beta and subject to change. dashed_name: entity-target-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: entity.target.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -8205,13 +8215,15 @@ host.entity.relationship: host.entity.source: beta: This field is beta and subject to change. dashed_name: host-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: host.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -9033,13 +9045,15 @@ host.target.entity.relationship: host.target.entity.source: beta: This field is beta and subject to change. dashed_name: host-target-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: host.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -11121,13 +11135,15 @@ orchestrator.entity.relationship: orchestrator.entity.source: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: orchestrator.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -17615,13 +17631,15 @@ service.entity.relationship: service.entity.source: beta: This field is beta and subject to change. dashed_name: service-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: service.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -18049,13 +18067,15 @@ service.origin.entity.relationship: service.origin.entity.source: beta: This field is beta and subject to change. dashed_name: service-origin-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: service.origin.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -18532,13 +18552,15 @@ service.target.entity.relationship: service.target.entity.source: beta: This field is beta and subject to change. dashed_name: service-target-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: service.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -26509,13 +26531,15 @@ user.changes.entity.relationship: user.changes.entity.source: beta: This field is beta and subject to change. dashed_name: user-changes-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: user.changes.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -27006,13 +27030,15 @@ user.effective.entity.relationship: user.effective.entity.source: beta: This field is beta and subject to change. dashed_name: user-effective-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: user.effective.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -27480,13 +27506,15 @@ user.entity.relationship: user.entity.source: beta: This field is beta and subject to change. dashed_name: user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: user.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -27975,13 +28003,15 @@ user.target.entity.relationship: user.target.entity.source: beta: This field is beta and subject to change. dashed_name: user-target-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: user.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 95e5fa4f4a..e905883c10 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1068,13 +1068,16 @@ cloud: cloud.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: cloud.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -1421,13 +1424,16 @@ cloud: cloud.origin.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: cloud.origin.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -1920,13 +1926,16 @@ cloud: cloud.target.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: cloud.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -5244,13 +5253,16 @@ entity: entity.source: beta: This field is beta and subject to change. dashed_name: entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array short: Source module or integration that provided the entity data. type: keyword entity.sub_type: @@ -5520,13 +5532,16 @@ entity: entity.target.source: beta: This field is beta and subject to change. dashed_name: entity-target-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: entity.target.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -9780,13 +9795,16 @@ host: host.entity.source: beta: This field is beta and subject to change. dashed_name: host-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: host.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -10616,13 +10634,16 @@ host: host.target.entity.source: beta: This field is beta and subject to change. dashed_name: host-target-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: host.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -13075,13 +13096,16 @@ orchestrator: orchestrator.entity.source: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: orchestrator.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -20440,13 +20464,16 @@ service: service.entity.source: beta: This field is beta and subject to change. dashed_name: service-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: service.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -20882,13 +20909,16 @@ service: service.origin.entity.source: beta: This field is beta and subject to change. dashed_name: service-origin-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: service.origin.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -21373,13 +21403,16 @@ service: service.target.entity.source: beta: This field is beta and subject to change. dashed_name: service-target-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: service.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -29589,13 +29622,16 @@ user: user.changes.entity.source: beta: This field is beta and subject to change. dashed_name: user-changes-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: user.changes.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -30092,13 +30128,16 @@ user: user.effective.entity.source: beta: This field is beta and subject to change. dashed_name: user-effective-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: user.effective.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -30572,13 +30611,16 @@ user: user.entity.source: beta: This field is beta and subject to change. dashed_name: user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: user.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -31073,13 +31115,16 @@ user: user.target.entity.source: beta: This field is beta and subject to change. dashed_name: user-target-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: user.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index b65be24065..47d159376f 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -562,8 +562,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -735,8 +737,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: origin.entity.sub_type level: extended @@ -997,8 +1001,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.entity.sub_type level: extended @@ -2569,8 +2575,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: sub_type level: extended @@ -2731,8 +2739,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.sub_type level: extended @@ -4604,8 +4614,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -5037,8 +5049,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.entity.sub_type level: extended @@ -6256,8 +6270,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -10215,8 +10231,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -10456,8 +10474,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: origin.entity.sub_type level: extended @@ -10734,8 +10754,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.entity.sub_type level: extended @@ -15429,8 +15451,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: changes.entity.sub_type level: extended @@ -15689,8 +15713,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: effective.entity.sub_type level: extended @@ -15933,8 +15959,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: entity.sub_type level: extended @@ -16181,8 +16209,10 @@ level: core type: keyword ignore_above: 1024 - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' default_field: false - name: target.entity.sub_type level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index b8f17f166b..bdf18303e4 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -63,7 +63,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,cloud,cloud.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,cloud,cloud.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. @@ -85,7 +85,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,cloud,cloud.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,cloud,cloud.origin.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. @@ -117,7 +117,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,cloud,cloud.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,cloud,cloud.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,cloud,cloud.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,cloud,cloud.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. @@ -305,7 +305,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,entity,entity.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev,true,entity,entity.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev,true,entity,entity.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.4.0-dev,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,entity,entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity. 9.4.0-dev,true,entity,entity.target.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." @@ -326,7 +326,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,entity,entity.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev,true,entity,entity.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." 9.4.0-dev,true,entity,entity.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.4.0-dev,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,entity,entity.target.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity. @@ -563,7 +563,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,host,host.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,host,host.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,host,host.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,host,host.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. @@ -621,7 +621,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,host,host.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,host,host.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name. @@ -774,7 +774,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,orchestrator,orchestrator.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,orchestrator,orchestrator.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,orchestrator,orchestrator.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,orchestrator,orchestrator.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,orchestrator,orchestrator.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,orchestrator,orchestrator.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,orchestrator,orchestrator.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. @@ -1306,7 +1306,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,service,service.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,service,service.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service. @@ -1330,7 +1330,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,service,service.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,service,service.origin.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. @@ -1358,7 +1358,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,service,service.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,service,service.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,service,service.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,service,service.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service. @@ -1971,7 +1971,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,user,user.changes.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,user,user.changes.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." @@ -2006,7 +2006,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,user,user.effective.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,user,user.effective.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." @@ -2039,7 +2039,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,user,user.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,user,user.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." @@ -2073,7 +2073,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.4.0-dev,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system." 9.4.0-dev,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." 9.4.0-dev,true,user,user.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types. -9.4.0-dev,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.4.0-dev,true,user,user.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data. 9.4.0-dev,true,user,user.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. 9.4.0-dev,true,user,user.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.4.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 0bfc59e0db..d4152a6e9c 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -795,13 +795,15 @@ cloud.entity.relationship: cloud.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: cloud.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -1142,13 +1144,15 @@ cloud.origin.entity.relationship: cloud.origin.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: cloud.origin.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -1635,13 +1639,15 @@ cloud.target.entity.relationship: cloud.target.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: cloud.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -4144,13 +4150,15 @@ entity.risk.static_score_norm: entity.source: beta: This field is beta and subject to change. dashed_name: entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array short: Source module or integration that provided the entity data. type: keyword entity.sub_type: @@ -4417,13 +4425,15 @@ entity.target.risk.static_score_norm: entity.target.source: beta: This field is beta and subject to change. dashed_name: entity-target-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: entity.target.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -8136,13 +8146,15 @@ host.entity.relationship: host.entity.source: beta: This field is beta and subject to change. dashed_name: host-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: host.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -8964,13 +8976,15 @@ host.target.entity.relationship: host.target.entity.source: beta: This field is beta and subject to change. dashed_name: host-target-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: host.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -11052,13 +11066,15 @@ orchestrator.entity.relationship: orchestrator.entity.source: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: orchestrator.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -17546,13 +17562,15 @@ service.entity.relationship: service.entity.source: beta: This field is beta and subject to change. dashed_name: service-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: service.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -17980,13 +17998,15 @@ service.origin.entity.relationship: service.origin.entity.source: beta: This field is beta and subject to change. dashed_name: service-origin-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: service.origin.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -18463,13 +18483,15 @@ service.target.entity.relationship: service.target.entity.source: beta: This field is beta and subject to change. dashed_name: service-target-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: service.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -26440,13 +26462,15 @@ user.changes.entity.relationship: user.changes.entity.source: beta: This field is beta and subject to change. dashed_name: user-changes-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: user.changes.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -26937,13 +26961,15 @@ user.effective.entity.relationship: user.effective.entity.source: beta: This field is beta and subject to change. dashed_name: user-effective-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: user.effective.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -27411,13 +27437,15 @@ user.entity.relationship: user.entity.source: beta: This field is beta and subject to change. dashed_name: user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: user.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -27906,13 +27934,15 @@ user.target.entity.relationship: user.target.entity.source: beta: This field is beta and subject to change. dashed_name: user-target-entity-source - description: The module or integration that provided this entity data (similar to - event.module). + description: 'The module or integration that supplied the data for this entity (similar + to event.module). Because an entity can be built from more than one source (e.g., + multiple logs or integrations), this field is an array: use one entry per source.' flat_name: user.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index bcb2dfc661..d350d0a6e2 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -988,13 +988,16 @@ cloud: cloud.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: cloud.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -1341,13 +1344,16 @@ cloud: cloud.origin.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: cloud.origin.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -1840,13 +1846,16 @@ cloud: cloud.target.entity.source: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: cloud.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -5164,13 +5173,16 @@ entity: entity.source: beta: This field is beta and subject to change. dashed_name: entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array short: Source module or integration that provided the entity data. type: keyword entity.sub_type: @@ -5440,13 +5452,16 @@ entity: entity.target.source: beta: This field is beta and subject to change. dashed_name: entity-target-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: entity.target.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -9700,13 +9715,16 @@ host: host.entity.source: beta: This field is beta and subject to change. dashed_name: host-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: host.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -10536,13 +10554,16 @@ host: host.target.entity.source: beta: This field is beta and subject to change. dashed_name: host-target-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: host.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -12995,13 +13016,16 @@ orchestrator: orchestrator.entity.source: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: orchestrator.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -20360,13 +20384,16 @@ service: service.entity.source: beta: This field is beta and subject to change. dashed_name: service-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: service.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -20802,13 +20829,16 @@ service: service.origin.entity.source: beta: This field is beta and subject to change. dashed_name: service-origin-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: service.origin.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -21293,13 +21323,16 @@ service: service.target.entity.source: beta: This field is beta and subject to change. dashed_name: service-target-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: service.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -29509,13 +29542,16 @@ user: user.changes.entity.source: beta: This field is beta and subject to change. dashed_name: user-changes-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: user.changes.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -30012,13 +30048,16 @@ user: user.effective.entity.source: beta: This field is beta and subject to change. dashed_name: user-effective-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: user.effective.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -30492,13 +30531,16 @@ user: user.entity.source: beta: This field is beta and subject to change. dashed_name: user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: user.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword @@ -30993,13 +31035,16 @@ user: user.target.entity.source: beta: This field is beta and subject to change. dashed_name: user-target-entity-source - description: The module or integration that provided this entity data (similar - to event.module). + description: 'The module or integration that supplied the data for this entity + (similar to event.module). Because an entity can be built from more than one + source (e.g., multiple logs or integrations), this field is an array: use + one entry per source.' flat_name: user.target.entity.source ignore_above: 1024 level: core name: source - normalize: [] + normalize: + - array original_fieldset: entity short: Source module or integration that provided the entity data. type: keyword diff --git a/schemas/entity.yml b/schemas/entity.yml index e015614e8f..2297c0c4f1 100644 --- a/schemas/entity.yml +++ b/schemas/entity.yml @@ -63,7 +63,11 @@ type: keyword short: Source module or integration that provided the entity data. description: > - The module or integration that provided this entity data (similar to event.module). + The module or integration that supplied the data for this entity (similar to event.module). + Because an entity can be built from more than one source (e.g., multiple logs or integrations), + this field is an array: use one entry per source. + normalize: + - array beta: This field is beta and subject to change. - name: type From bbe35b2333ffcbcf9fd8e6ed7b309fc25e57b457 Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Wed, 18 Feb 2026 15:43:00 +0200 Subject: [PATCH 6/6] add an example for a relationship --- docs/reference/ecs-entity.md | 2 +- experimental/generated/beats/fields.ecs.yml | 90 +++++++++++++++++---- experimental/generated/ecs/ecs_flat.yml | 90 +++++++++++++++++---- experimental/generated/ecs/ecs_nested.yml | 90 +++++++++++++++++---- generated/beats/fields.ecs.yml | 90 +++++++++++++++++---- generated/ecs/ecs_flat.yml | 90 +++++++++++++++++---- generated/ecs/ecs_nested.yml | 90 +++++++++++++++++---- schemas/entity.yml | 2 + 8 files changed, 453 insertions(+), 91 deletions(-) diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md index 4099acd804..88f0125c2a 100644 --- a/docs/reference/ecs-entity.md +++ b/docs/reference/ecs-entity.md @@ -25,7 +25,7 @@ The entity fields provide a standardized way to represent and categorize differe | $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.

type: keyword

Multi-fields:

* entity.name.text (type: match_only_text) | core | | $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.

type: object | extended | | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.

type: keyword | extended | -| $$$field-entity-relationship$$$ [entity.relationship](#field-entity-relationship) | _This field is beta and subject to change._ The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.

type: object | extended | +| $$$field-entity-relationship$$$ [entity.relationship](#field-entity-relationship) | _This field is beta and subject to change._ The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.

For example, `entity.relationship.owns` can describe that a user owns a device (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).

type: object | extended | | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that supplied the data for this entity (similar to event.module). Because an entity can be built from more than one source (e.g., multiple logs or integrations), this field is an array: use one entry per source.

type: keyword

Note: This field should contain an array of values. | core | | $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.

type: keyword

example: `aws_s3_bucket` | extended | | $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 6ed9f3bbda..6c69eeae5b 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -603,10 +603,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -778,10 +782,14 @@ - name: origin.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: origin.entity.source level: core @@ -1042,10 +1050,14 @@ - name: target.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.entity.source level: core @@ -2570,10 +2582,14 @@ - name: relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: risk.calculated_level level: extended @@ -2734,10 +2750,14 @@ - name: target.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.risk.calculated_level level: extended @@ -4655,10 +4675,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -5090,10 +5114,14 @@ - name: target.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.entity.source level: core @@ -6311,10 +6339,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -10272,10 +10304,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -10515,10 +10551,14 @@ - name: origin.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: origin.entity.source level: core @@ -10795,10 +10835,14 @@ - name: target.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.entity.source level: core @@ -15492,10 +15536,14 @@ - name: changes.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: changes.entity.source level: core @@ -15754,10 +15802,14 @@ - name: effective.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: effective.entity.source level: core @@ -16000,10 +16052,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -16250,10 +16306,14 @@ - name: target.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.entity.source level: core diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index cd82da9489..e9b66a437f 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -850,10 +850,14 @@ cloud.entity.reference: cloud.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.entity.relationship level: extended name: relationship @@ -1199,10 +1203,14 @@ cloud.origin.entity.reference: cloud.origin.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.origin.entity.relationship level: extended name: relationship @@ -1694,10 +1702,14 @@ cloud.target.entity.reference: cloud.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.target.entity.relationship level: extended name: relationship @@ -4126,10 +4138,14 @@ entity.reference: entity.relationship: beta: This field is beta and subject to change. dashed_name: entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: entity.relationship level: extended name: relationship @@ -4400,10 +4416,14 @@ entity.target.reference: entity.target.relationship: beta: This field is beta and subject to change. dashed_name: entity-target-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: entity.target.relationship level: extended name: relationship @@ -8201,10 +8221,14 @@ host.entity.reference: host.entity.relationship: beta: This field is beta and subject to change. dashed_name: host-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: host.entity.relationship level: extended name: relationship @@ -9031,10 +9055,14 @@ host.target.entity.reference: host.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: host-target-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: host.target.entity.relationship level: extended name: relationship @@ -11121,10 +11149,14 @@ orchestrator.entity.reference: orchestrator.entity.relationship: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: orchestrator.entity.relationship level: extended name: relationship @@ -17617,10 +17649,14 @@ service.entity.reference: service.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.entity.relationship level: extended name: relationship @@ -18053,10 +18089,14 @@ service.origin.entity.reference: service.origin.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-origin-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.origin.entity.relationship level: extended name: relationship @@ -18538,10 +18578,14 @@ service.target.entity.reference: service.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-target-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.target.entity.relationship level: extended name: relationship @@ -26517,10 +26561,14 @@ user.changes.entity.reference: user.changes.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-changes-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.changes.entity.relationship level: extended name: relationship @@ -27016,10 +27064,14 @@ user.effective.entity.reference: user.effective.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-effective-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.effective.entity.relationship level: extended name: relationship @@ -27492,10 +27544,14 @@ user.entity.reference: user.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.entity.relationship level: extended name: relationship @@ -27989,10 +28045,14 @@ user.target.entity.reference: user.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-target-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.target.entity.relationship level: extended name: relationship diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index e905883c10..ca2690d3f4 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1054,10 +1054,14 @@ cloud: cloud.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.entity.relationship level: extended name: relationship @@ -1410,10 +1414,14 @@ cloud: cloud.origin.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.origin.entity.relationship level: extended name: relationship @@ -1912,10 +1920,14 @@ cloud: cloud.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.target.entity.relationship level: extended name: relationship @@ -5160,10 +5172,14 @@ entity: entity.relationship: beta: This field is beta and subject to change. dashed_name: entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: entity.relationship level: extended name: relationship @@ -5438,10 +5454,14 @@ entity: entity.target.relationship: beta: This field is beta and subject to change. dashed_name: entity-target-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: entity.target.relationship level: extended name: relationship @@ -9781,10 +9801,14 @@ host: host.entity.relationship: beta: This field is beta and subject to change. dashed_name: host-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: host.entity.relationship level: extended name: relationship @@ -10620,10 +10644,14 @@ host: host.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: host-target-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: host.target.entity.relationship level: extended name: relationship @@ -13082,10 +13110,14 @@ orchestrator: orchestrator.entity.relationship: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: orchestrator.entity.relationship level: extended name: relationship @@ -20450,10 +20482,14 @@ service: service.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.entity.relationship level: extended name: relationship @@ -20895,10 +20931,14 @@ service: service.origin.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-origin-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.origin.entity.relationship level: extended name: relationship @@ -21389,10 +21429,14 @@ service: service.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-target-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.target.entity.relationship level: extended name: relationship @@ -29608,10 +29652,14 @@ user: user.changes.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-changes-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.changes.entity.relationship level: extended name: relationship @@ -30114,10 +30162,14 @@ user: user.effective.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-effective-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.effective.entity.relationship level: extended name: relationship @@ -30597,10 +30649,14 @@ user: user.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.entity.relationship level: extended name: relationship @@ -31101,10 +31157,14 @@ user: user.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-target-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.target.entity.relationship level: extended name: relationship diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 47d159376f..6f12906680 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -553,10 +553,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -728,10 +732,14 @@ - name: origin.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: origin.entity.source level: core @@ -992,10 +1000,14 @@ - name: target.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.entity.source level: core @@ -2520,10 +2532,14 @@ - name: relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: risk.calculated_level level: extended @@ -2684,10 +2700,14 @@ - name: target.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.risk.calculated_level level: extended @@ -4605,10 +4625,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -5040,10 +5064,14 @@ - name: target.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.entity.source level: core @@ -6261,10 +6289,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -10222,10 +10254,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -10465,10 +10501,14 @@ - name: origin.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: origin.entity.source level: core @@ -10745,10 +10785,14 @@ - name: target.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.entity.source level: core @@ -15442,10 +15486,14 @@ - name: changes.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: changes.entity.source level: core @@ -15704,10 +15752,14 @@ - name: effective.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: effective.entity.source level: core @@ -15950,10 +16002,14 @@ - name: entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: entity.source level: core @@ -16200,10 +16256,14 @@ - name: target.entity.relationship level: extended type: object - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' default_field: false - name: target.entity.source level: core diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d4152a6e9c..385a77531d 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -781,10 +781,14 @@ cloud.entity.reference: cloud.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.entity.relationship level: extended name: relationship @@ -1130,10 +1134,14 @@ cloud.origin.entity.reference: cloud.origin.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.origin.entity.relationship level: extended name: relationship @@ -1625,10 +1633,14 @@ cloud.target.entity.reference: cloud.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.target.entity.relationship level: extended name: relationship @@ -4057,10 +4069,14 @@ entity.reference: entity.relationship: beta: This field is beta and subject to change. dashed_name: entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: entity.relationship level: extended name: relationship @@ -4331,10 +4347,14 @@ entity.target.reference: entity.target.relationship: beta: This field is beta and subject to change. dashed_name: entity-target-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: entity.target.relationship level: extended name: relationship @@ -8132,10 +8152,14 @@ host.entity.reference: host.entity.relationship: beta: This field is beta and subject to change. dashed_name: host-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: host.entity.relationship level: extended name: relationship @@ -8962,10 +8986,14 @@ host.target.entity.reference: host.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: host-target-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: host.target.entity.relationship level: extended name: relationship @@ -11052,10 +11080,14 @@ orchestrator.entity.reference: orchestrator.entity.relationship: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: orchestrator.entity.relationship level: extended name: relationship @@ -17548,10 +17580,14 @@ service.entity.reference: service.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.entity.relationship level: extended name: relationship @@ -17984,10 +18020,14 @@ service.origin.entity.reference: service.origin.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-origin-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.origin.entity.relationship level: extended name: relationship @@ -18469,10 +18509,14 @@ service.target.entity.reference: service.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-target-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.target.entity.relationship level: extended name: relationship @@ -26448,10 +26492,14 @@ user.changes.entity.reference: user.changes.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-changes-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.changes.entity.relationship level: extended name: relationship @@ -26947,10 +26995,14 @@ user.effective.entity.reference: user.effective.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-effective-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.effective.entity.relationship level: extended name: relationship @@ -27423,10 +27475,14 @@ user.entity.reference: user.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.entity.relationship level: extended name: relationship @@ -27920,10 +27976,14 @@ user.target.entity.reference: user.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-target-entity-relationship - description: The structure and content of this field set may differ depending on + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.target.entity.relationship level: extended name: relationship diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index d350d0a6e2..c983844608 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -974,10 +974,14 @@ cloud: cloud.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.entity.relationship level: extended name: relationship @@ -1330,10 +1334,14 @@ cloud: cloud.origin.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.origin.entity.relationship level: extended name: relationship @@ -1832,10 +1840,14 @@ cloud: cloud.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: cloud-target-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: cloud.target.entity.relationship level: extended name: relationship @@ -5080,10 +5092,14 @@ entity: entity.relationship: beta: This field is beta and subject to change. dashed_name: entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: entity.relationship level: extended name: relationship @@ -5358,10 +5374,14 @@ entity: entity.target.relationship: beta: This field is beta and subject to change. dashed_name: entity-target-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: entity.target.relationship level: extended name: relationship @@ -9701,10 +9721,14 @@ host: host.entity.relationship: beta: This field is beta and subject to change. dashed_name: host-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: host.entity.relationship level: extended name: relationship @@ -10540,10 +10564,14 @@ host: host.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: host-target-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: host.target.entity.relationship level: extended name: relationship @@ -13002,10 +13030,14 @@ orchestrator: orchestrator.entity.relationship: beta: This field is beta and subject to change. dashed_name: orchestrator-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: orchestrator.entity.relationship level: extended name: relationship @@ -20370,10 +20402,14 @@ service: service.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.entity.relationship level: extended name: relationship @@ -20815,10 +20851,14 @@ service: service.origin.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-origin-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.origin.entity.relationship level: extended name: relationship @@ -21309,10 +21349,14 @@ service: service.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: service-target-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: service.target.entity.relationship level: extended name: relationship @@ -29528,10 +29572,14 @@ user: user.changes.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-changes-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.changes.entity.relationship level: extended name: relationship @@ -30034,10 +30082,14 @@ user: user.effective.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-effective-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.effective.entity.relationship level: extended name: relationship @@ -30517,10 +30569,14 @@ user: user.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.entity.relationship level: extended name: relationship @@ -31021,10 +31077,14 @@ user: user.target.entity.relationship: beta: This field is beta and subject to change. dashed_name: user-target-entity-relationship - description: The structure and content of this field set may differ depending + description: 'The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device + (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: + "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).' flat_name: user.target.entity.relationship level: extended name: relationship diff --git a/schemas/entity.yml b/schemas/entity.yml index 2297c0c4f1..3a8c50d481 100644 --- a/schemas/entity.yml +++ b/schemas/entity.yml @@ -173,6 +173,8 @@ short: A set of relationship attributes that can vary between entity types. description: > The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. + + For example, `entity.relationship.owns` can describe that a user owns a device (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity). beta: This field is beta and subject to change. - name: lifecycle