Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upstream ECS merge of v1.9.0 #5

Closed
wants to merge 91 commits into from
Closed
Changes from 1 commit
Commits
Show all changes
91 commits
Select commit Hold shift + click to select a range
16514a1
bumping version for 1.x release branch (#921)
ebeahan Aug 13, 2020
5d134c9
[1.x] add related.hosts (#913) (#924)
ebeahan Aug 13, 2020
64ea560
[1.x][DOCS] Fixes SIEM links (#936)
Aug 18, 2020
ab227b3
[1.x] Consolidate field-details doc template (#897) (#946)
ebeahan Aug 20, 2020
e106899
Add http.[request|response].mime_type (#944) (#949)
Aug 24, 2020
4b6742b
[1.x] Cut 1.6 Changelog (#933) (#952) (#953)
ebeahan Aug 25, 2020
357ce24
[1.x] Add threat.technique.subtechnique (#951) (#956)
ebeahan Aug 31, 2020
9c4fc4c
[1.x] Nest as for foreign reuse (#960) (#962)
ebeahan Sep 4, 2020
3eb6d99
[1.x] Remove `expected_event_types` from protocol (#964) (#965)
ebeahan Sep 8, 2020
d5820b9
[1.x] Expand definitions of source and destination field sets (#967) …
ebeahan Sep 23, 2020
e6ba4c4
[1.x] Introduce `--strict` flag (#937) (#975)
ebeahan Sep 23, 2020
214a01c
[1.x] Add example value composite type checking (#966) (#976)
ebeahan Sep 23, 2020
7633cb0
[1.x] Add event category configuration (#963) (#977)
ebeahan Sep 23, 2020
5b353fe
[1.x] Add normalizer multi-field capability (#971) (#978)
ebeahan Sep 24, 2020
c5ccecc
[1.x] Add mapping network event guidance doc (#969) (#983)
ebeahan Sep 29, 2020
7897203
[1.x] Removing unneeded link under `Additional Information` (#984) (#…
ebeahan Sep 29, 2020
23abff6
[1.x] Add discrete attribute to field details page headers (#989) (#990)
ebeahan Sep 30, 2020
e086abb
[1.x] Uniformity across domain name breakdown fields (#981) (#994)
ebeahan Oct 2, 2020
b9b1ba5
Add --oss flag to the ECS generator script (#991) (#995)
Oct 2, 2020
d847184
Add network directions ingress and egress (#945) (#997)
Oct 2, 2020
4a49618
Mention ECS Mapper in the main documentation (#987) (#1000)
Oct 5, 2020
20ae5e0
[1.x] Introduce experimental artifacts (#993) (#1001)
ebeahan Oct 5, 2020
947f410
Bump version to 1.8.0-dev in branch 1.x (#1011)
Oct 6, 2020
1dc6240
Cut 1.7 changelog (#1010) (#1012)
Oct 6, 2020
501d404
[1.x] Clarify that file extension should exclude the dot. (#1016) (#1…
Oct 8, 2020
14141ec
[1.x] Add usage docs section (#988) (#1024)
ebeahan Oct 8, 2020
35764fa
[1.x] feat: include alias path when generating template (#877) (#1035)
ebeahan Oct 16, 2020
a173cda
[1.x] Add support for `scaling_factor` in the generator (#1042) (#1055)
ebeahan Oct 28, 2020
5afd0a5
[1.x] Add fallback for constant_keyword (#1046) (#1056)
ebeahan Oct 28, 2020
7ef838b
[1.x] Add wildcard type support to go code generator (#1050) (#1057)
ebeahan Oct 28, 2020
a28ee14
[1.x] New default make task that generates main and experimental arti…
Oct 29, 2020
52de713
[1.x] Change the index pattern in the sample template. (#1048) (#1068)
Nov 2, 2020
1703ac8
[1.x] Prepare link to Logs docs changing with the 7.10 release in "ge…
Nov 4, 2020
7bad0b0
[1.x] Prepare link to Logs docs changing with the 7.10 release in "pr…
Nov 4, 2020
b4bbe72
[1.x] Add event.category session. (#1049) (#1093)
ebeahan Nov 4, 2020
46210a5
[1.x] Add event.category registry (#1040) (#1094)
ebeahan Nov 4, 2020
1c457b5
[1.x] Add --ref support for experimental artifacts (#1063) (#1101)
ebeahan Nov 10, 2020
ec51a8d
[1.x] Remove experimental event.original definition (#1053) (#1104)
ebeahan Nov 10, 2020
b91b60b
[1.x] Add missing `process.thread.name` to experimental definitions (…
ebeahan Nov 10, 2020
08b63c3
[1.x] Remove index parameter for wildcard fields (#1115) (#1119)
ebeahan Nov 12, 2020
16df1c6
[1.x] Add dns.answer object into experimental schema (#1118) (#1121)
ebeahan Nov 12, 2020
1a83782
[1.x] Clarify x509 definition guidance for network events with only o…
Nov 12, 2020
28a3a69
[1.x] Indicate when artifacts include experimental changes (#1117) (#…
Nov 12, 2020
27fe7e0
[1.x] Add os.type field, with list of allowed values (#1111) (#1130)
Nov 18, 2020
dce6348
[1.x] Add support for constant_keyword's 'value' parameter (#1112) (#…
Nov 18, 2020
35a9cca
[1.x] Beta label support (#1051) (#1133)
ebeahan Nov 18, 2020
2026cd9
[1.x] Backport #1134 and #1135 (#1136)
Nov 19, 2020
12e8827
Two small documentation backports (#1149)
Nov 25, 2020
cf28a27
[1.x] Reinforce the exclusion of the leading dot from url.extension (…
Nov 25, 2020
b7f63a7
[1.x] Make all fields linkable directly via an HTML ID (#1148) (#1154)
Nov 26, 2020
e27a948
[1.x] Tracing fields should be at the root (#1165)
Dec 2, 2020
14c84c0
[1.x] Usage of brackets for a URL containing IPv6 address (#1131) (#1…
ebeahan Dec 3, 2020
ae5568c
[1.x] 6.x index template data type fallback (#1171) (#1172)
ebeahan Dec 7, 2020
48e1ddc
[1.x] Apply RFC 0007 stage 3 changes - multi-user (#1066) (#1175)
Dec 7, 2020
3a22a08
[1.x] Handle `error.stack_trace` case for ES 6.x template (#1176) (#1…
ebeahan Dec 8, 2020
ec42319
[1.x] Add composable index templates artifacts (#1156) (#1179)
Dec 9, 2020
5995da9
[1.x] Move _meta section back inside mappings, in legacy templates. (…
Dec 10, 2020
e288c02
[1.x] Apply the RFC 0005 stage 2 (host metrics) changes in the experi…
ebeahan Dec 10, 2020
0e94d2d
[1.x] Stage 3 changes for wildcard RFC 0001 (#1098) (#1183)
ebeahan Dec 10, 2020
7857351
[1.x] Conditional handling in es_template.template_settings (#1191) (…
ebeahan Dec 14, 2020
e2fef1b
[1.x] Artifacts docs page (#1189) (#1195)
ebeahan Dec 15, 2020
82adfee
[1.x] Remove beta warning label from categorization fields docs (#106…
ebeahan Dec 15, 2020
2ae684e
[1.x] Correct wording of `event.reference` description (#1181) (#1197)
ebeahan Dec 15, 2020
cd6778c
Bump version to 1.9.0-dev in branch 1.x (#1198)
ebeahan Dec 15, 2020
ddf2568
[1.x] Cut 1.8 FF changelog.next.md #1199 (#1201)
ebeahan Dec 16, 2020
d1e08be
Merge custom and core multi_fields arrays (#982) (#1213)
Jan 6, 2021
4ab85fa
[1.x] Stage 2 changes for RFC 0009 - data_stream fields (#1215) (#1222)
ebeahan Jan 13, 2021
2b240f1
[1.x] add http.request.id (#1208) (#1223)
ebeahan Jan 14, 2021
36ebb01
[1.x] add cloud.service.name (#1204) (#1224)
ebeahan Jan 14, 2021
a487613
[1.x] Add ssdeep hash (#1169) (#1227)
ebeahan Jan 15, 2021
bc1f9af
[CI] Switch to GitHub actions (#1236) (#1245)
ebeahan Jan 29, 2021
30e4a10
Revert wildcard adoption back to experimental stage (#1235) (#1243)
ebeahan Jan 29, 2021
324c0bc
Add scaled_float type to go generator (#1250) (#1251)
ebeahan Feb 2, 2021
c8aea73
Add categorization fields usage docs (#1242) (#1257)
ebeahan Feb 10, 2021
90db312
add time_zone, postal_code, and continent_code (#1229) (#1258)
ebeahan Feb 10, 2021
9006c8d
Specify MAC address format (#456) (#1260)
ebeahan Feb 11, 2021
86bc271
finalize 1.8.0 changelog (#1262) (#1265)
ebeahan Feb 16, 2021
b1aca41
Add additional host fields (#1248) (#1267)
ebeahan Feb 16, 2021
9f97ffb
Stage 1 changes for RFC 0014 - extend pe fields (#1256) (#1270)
ebeahan Feb 17, 2021
16a60ec
Add 2 fields to code_signature (#1269) (#1272)
ebeahan Feb 18, 2021
cc9ad49
Stage 3 changes for RFC 0007 - remove beta attribute (#1271) (#1273)
ebeahan Feb 18, 2021
40ee8d0
Stage 1 experimental changes for RFC 0008 - threat.indicator fields (…
ebeahan Feb 18, 2021
bdf980c
Stage 1 changes for RFC 0015 - add elf fieldset (#1261) (#1275)
ebeahan Feb 18, 2021
31bbdd6
Cut 1.9 FF CHANGELOG.next.md (#1277)
ebeahan Feb 18, 2021
5df9b6b
lock go version in actions (#1283) (#1290)
ebeahan Mar 4, 2021
d8bcd18
Bump jinja2 from 2.11.2 to 2.11.3 in /scripts (#1310) (#1320)
kgeller Mar 26, 2021
9a677e1
Bump pyyaml from 5.3b1 to 5.4 in /scripts (#1318) (#1325)
ebeahan Mar 26, 2021
56f6e31
Adjust terminology - change whitelist to allowlist (#1315) (#1331)
ebeahan Mar 29, 2021
5bbed42
Remove -dev label from 1.9 version (#1329)
ebeahan Mar 30, 2021
6ed7e13
Cut 1.9 changelog (#1328)
ebeahan Mar 30, 2021
dc935b4
Merge remote-tracking branch 'upstream/1.9' into ecs_merge__v1.9.0
May 5, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
[1.x] Expand definitions of source and destination field sets (elasti…
ebeahan authored Sep 23, 2020
commit d5820b9981449c269571d12bc8c75d4f51bf0721
2 changes: 2 additions & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
@@ -24,6 +24,8 @@ Thanks, you're awesome :-) -->

#### Improvements

* Expanded field set definitions for `source.*` and `destination.*`. #967

#### Deprecated

### Tooling and Artifact Changes
9 changes: 8 additions & 1 deletion code/go/ecs/destination.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 8 additions & 1 deletion code/go/ecs/source.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
@@ -803,9 +803,9 @@ example: `docker`
[[ecs-destination]]
=== Destination Fields

Destination fields describe details about the destination of a packet/event.
Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.

Destination fields are usually populated in conjunction with source fields.
Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.

==== Destination Field Details

@@ -5185,9 +5185,9 @@ example: `3.2.4`
[[ecs-source]]
=== Source Fields

Source fields describe details about the source of a packet/event.
Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.

Source fields are usually populated in conjunction with destination fields.
Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.

==== Source Field Details

24 changes: 18 additions & 6 deletions generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
@@ -562,9 +562,15 @@
- name: destination
title: Destination
group: 2
description: 'Destination fields describe details about the destination of a packet/event.

Destination fields are usually populated in conjunction with source fields.'
description: 'Destination fields capture details about the receiver of a network
exchange/packet. These fields are populated from a network event, packet, or
other event containing details of a network transaction.

Destination fields are usually populated in conjunction with source fields.
The source and destination fields are considered the baseline and should always
be filled if an event contains source and destination details from a network
transaction. If the event also contains identification of the client and server
roles, then the client and server fields should also be populated.'
type: group
fields:
- name: address
@@ -4286,9 +4292,15 @@
- name: source
title: Source
group: 2
description: 'Source fields describe details about the source of a packet/event.

Source fields are usually populated in conjunction with destination fields.'
description: 'Source fields capture details about the sender of a network exchange/packet.
These fields are populated from a network event, packet, or other event containing
details of a network transaction.

Source fields are usually populated in conjunction with destination fields.
The source and destination fields are considered the baseline and should always
be filled if an event contains source and destination details from a network
transaction. If the event also contains identification of the client and server
roles, then the client and server fields should also be populated.'
type: group
fields:
- name: address
24 changes: 18 additions & 6 deletions generated/ecs/ecs_nested.yml
Original file line number Diff line number Diff line change
@@ -957,9 +957,15 @@ container:
title: Container
type: group
destination:
description: 'Destination fields describe details about the destination of a packet/event.

Destination fields are usually populated in conjunction with source fields.'
description: 'Destination fields capture details about the receiver of a network
exchange/packet. These fields are populated from a network event, packet, or other
event containing details of a network transaction.

Destination fields are usually populated in conjunction with source fields. The
source and destination fields are considered the baseline and should always be
filled if an event contains source and destination details from a network transaction.
If the event also contains identification of the client and server roles, then
the client and server fields should also be populated.'
fields:
destination.address:
dashed_name: destination-address
@@ -7570,9 +7576,15 @@ service:
title: Service
type: group
source:
description: 'Source fields describe details about the source of a packet/event.

Source fields are usually populated in conjunction with destination fields.'
description: 'Source fields capture details about the sender of a network exchange/packet.
These fields are populated from a network event, packet, or other event containing
details of a network transaction.

Source fields are usually populated in conjunction with destination fields. The
source and destination fields are considered the baseline and should always be
filled if an event contains source and destination details from a network transaction.
If the event also contains identification of the client and server roles, then
the client and server fields should also be populated.'
fields:
source.address:
dashed_name: source-address
8 changes: 6 additions & 2 deletions schemas/destination.yml
Original file line number Diff line number Diff line change
@@ -4,9 +4,13 @@
group: 2
short: Fields about the destination side of a network connection, used with source.
description: >
Destination fields describe details about the destination of a packet/event.
Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from
a network event, packet, or other event containing details of a network transaction.

Destination fields are usually populated in conjunction with source fields.
Destination fields are usually populated in conjunction with source fields. The source and destination
fields are considered the baseline and should always be filled if an event contains source
and destination details from a network transaction. If the event also contains identification of the
client and server roles, then the client and server fields should also be populated.
type: group
fields:

8 changes: 6 additions & 2 deletions schemas/source.yml
Original file line number Diff line number Diff line change
@@ -4,9 +4,13 @@
group: 2
short: Fields about the source side of a network connection, used with destination.
description: >
Source fields describe details about the source of a packet/event.
Source fields capture details about the sender of a network exchange/packet. These fields are populated from
a network event, packet, or other event containing details of a network transaction.

Source fields are usually populated in conjunction with destination fields.
Source fields are usually populated in conjunction with destination fields. The source and destination
fields are considered the baseline and should always be filled if an event contains source
and destination details from a network transaction. If the event also contains identification of the
client and server roles, then the client and server fields should also be populated.
type: group
fields: