From 26a3850ae29617afee677d20788a227f3d7aefc9 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 10 Dec 2020 13:53:14 -0600 Subject: [PATCH] artifacts --- experimental/generated/beats/fields.ecs.yml | 46 ++++ experimental/generated/csv/fields.csv | 7 + experimental/generated/ecs/ecs_flat.yml | 74 +++++++ experimental/generated/ecs/ecs_nested.yml | 74 +++++++ .../generated/elasticsearch/7/template.json | 50 +++++ .../elasticsearch/component/host.json | 50 +++++ generated/csv/fields.csv | 204 +++++++++--------- generated/elasticsearch/component/agent.json | 3 +- generated/elasticsearch/component/client.json | 21 +- .../elasticsearch/component/destination.json | 21 +- generated/elasticsearch/component/dll.json | 3 +- generated/elasticsearch/component/dns.json | 6 +- generated/elasticsearch/component/error.json | 8 +- generated/elasticsearch/component/file.json | 18 +- generated/elasticsearch/component/host.json | 21 +- generated/elasticsearch/component/http.json | 9 +- generated/elasticsearch/component/log.json | 6 +- .../elasticsearch/component/observer.json | 9 +- .../elasticsearch/component/organization.json | 3 +- .../elasticsearch/component/process.json | 42 ++-- .../elasticsearch/component/registry.json | 9 +- generated/elasticsearch/component/server.json | 21 +- generated/elasticsearch/component/source.json | 21 +- generated/elasticsearch/component/tls.json | 24 +-- generated/elasticsearch/component/url.json | 15 +- generated/elasticsearch/component/user.json | 36 ++-- .../elasticsearch/component/user_agent.json | 9 +- 27 files changed, 504 insertions(+), 306 deletions(-) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index d68991b2f4..9a58688014 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2048,6 +2048,28 @@ ignore_above: 1024 description: Operating system architecture. example: x86_64 + - name: cpu.usage + level: extended + type: scaled_float + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + scaling_factor: 1000 + default_field: false + - name: disk.read.bytes + level: extended + type: long + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: disk.write.bytes + level: extended + type: long + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + default_field: false - name: domain level: extended type: keyword @@ -2144,6 +2166,30 @@ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: network.egress.bytes + level: extended + type: long + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: network.egress.packets + level: extended + type: long + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: network.ingress.bytes + level: extended + type: long + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + default_field: false + - name: network.ingress.packets + level: extended + type: long + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + default_field: false - name: os.family level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2c83d5823d..1912a88568 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -230,6 +230,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. 1.8.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.8.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +1.8.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +1.8.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. 1.8.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. 1.8.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. @@ -244,6 +247,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. 1.8.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses. 1.8.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. +1.8.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +1.8.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +1.8.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +1.8.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. 1.8.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 1.8.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 0c6e8374cf..8997fffccf 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3235,6 +3235,40 @@ host.architecture: normalize: [] short: Operating system architecture. type: keyword +host.cpu.usage: + dashed_name: host-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores and + it ranges from 0 to 1. Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the two + cores, between 0 and 1.' + flat_name: host.cpu.usage + level: extended + name: cpu.usage + normalize: [] + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float +host.disk.read.bytes: + dashed_name: host-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated from + all disks) since the last metric collection. + flat_name: host.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + short: The number of bytes read by all disks. + type: long +host.disk.write.bytes: + dashed_name: host-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + short: The number of bytes written on all disks. + type: long host.domain: dashed_name: host-domain description: 'Name of the domain of which the host is a member. @@ -3412,6 +3446,46 @@ host.name: normalize: [] short: Name of the host. type: keyword +host.network.egress.bytes: + dashed_name: host-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + flat_name: host.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + short: The number of bytes sent on all network interfaces. + type: long +host.network.egress.packets: + dashed_name: host-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces by + the host since the last metric collection. + flat_name: host.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + short: The number of packets sent on all network interfaces. + type: long +host.network.ingress.bytes: + dashed_name: host-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + flat_name: host.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + short: The number of bytes received on all network interfaces. + type: long +host.network.ingress.packets: + dashed_name: host-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces by + the host since the last metric collection. + flat_name: host.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + short: The number of packets received on all network interfaces. + type: long host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 50c4915485..6d1a832021 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -3900,6 +3900,40 @@ host: normalize: [] short: Operating system architecture. type: keyword + host.cpu.usage: + dashed_name: host-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + flat_name: host.cpu.usage + level: extended + name: cpu.usage + normalize: [] + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float + host.disk.read.bytes: + dashed_name: host-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + short: The number of bytes read by all disks. + type: long + host.disk.write.bytes: + dashed_name: host-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + short: The number of bytes written on all disks. + type: long host.domain: dashed_name: host-domain description: 'Name of the domain of which the host is a member. @@ -4079,6 +4113,46 @@ host: normalize: [] short: Name of the host. type: keyword + host.network.egress.bytes: + dashed_name: host-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + short: The number of bytes sent on all network interfaces. + type: long + host.network.egress.packets: + dashed_name: host-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + short: The number of packets sent on all network interfaces. + type: long + host.network.ingress.bytes: + dashed_name: host-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + flat_name: host.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + short: The number of bytes received on all network interfaces. + type: long + host.network.ingress.packets: + dashed_name: host-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + flat_name: host.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + short: The number of packets received on all network interfaces. + type: long host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index dfa18031da..73e91eb32c 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1046,6 +1046,32 @@ "ignore_above": 1024, "type": "keyword" }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" @@ -1102,6 +1128,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json index 19c9898702..72a4bf410b 100644 --- a/experimental/generated/elasticsearch/component/host.json +++ b/experimental/generated/elasticsearch/component/host.json @@ -12,6 +12,32 @@ "ignore_above": 1024, "type": "keyword" }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" @@ -68,6 +94,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index cd996051dc..374aec3e21 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -3,7 +3,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. 1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. 1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.8.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.8.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. 1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. 1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. 1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. @@ -11,16 +11,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. 1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address. 1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. 1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.8.0-dev,true,client,client.domain,keyword,core,,,Client domain. +1.8.0-dev,true,client,client.domain,wildcard,core,,,Client domain. 1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. 1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client. @@ -29,19 +29,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port 1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. 1.8.0-dev,true,client,client.port,long,core,,,Port of the client. -1.8.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.8.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." 1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,client,client.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. @@ -62,16 +62,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. 1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. 1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. 1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.8.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. +1.8.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. 1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. 1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. @@ -80,19 +80,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port 1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. 1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -1.8.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.8.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." 1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. @@ -111,11 +111,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.8.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. 1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. 1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. 1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. @@ -123,7 +123,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. 1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. 1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.8.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +1.8.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. 1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." 1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. 1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." @@ -135,9 +135,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. 1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. 1.8.0-dev,true,error,error.message,text,core,,,Error message. -1.8.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. -1.8.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.8.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +1.8.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.8.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." 1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. 1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. 1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. @@ -173,7 +173,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,file,file.created,date,extended,,,File creation time. 1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. 1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.8.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. 1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. 1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. @@ -188,24 +188,24 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. 1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." 1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.8.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.8.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -1.8.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +1.8.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. 1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. 1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." 1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. 1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) 1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. 1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. @@ -220,7 +220,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. 1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. 1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. 1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) 1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. 1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. @@ -236,19 +236,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. +1.8.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. 1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id. 1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. 1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host. 1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 1.8.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." @@ -256,34 +256,34 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,host,host.type,keyword,core,,,Type of host. 1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,host,host.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.8.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. +1.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. 1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. 1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). 1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. 1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.8.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.8.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. 1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.8.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. +1.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. 1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. 1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). 1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. 1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. 1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.8.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.8.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. 1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -1.8.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.8.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. 1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. 1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. 1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. @@ -322,7 +322,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. @@ -337,10 +337,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer 1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. 1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 1.8.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." @@ -351,7 +351,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. 1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version. 1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.8.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. +1.8.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. 1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. 1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. 1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information @@ -373,17 +373,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. 1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. 1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. 1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. +1.8.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. 1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. 1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. @@ -392,60 +392,60 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. 1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. 1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. 1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. +1.8.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. 1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. 1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. 1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. 1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -1.8.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. +1.8.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. 1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. 1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. 1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. 1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.8.0-dev,true,process,process.pid,long,core,,4242,Process id. 1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. 1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -1.8.0-dev,true,process,process.title,keyword,extended,,,Process title. +1.8.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title. 1.8.0-dev,true,process,process.title.text,text,extended,,,Process title. 1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. 1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. 1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.8.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. 1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents 1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.8.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.8.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.8.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.8.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. 1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. 1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. @@ -463,16 +463,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version 1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address. 1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. 1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.8.0-dev,true,server,server.domain,keyword,core,,,Server domain. +1.8.0-dev,true,server,server.domain,wildcard,core,,,Server domain. 1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. 1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server. @@ -481,19 +481,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port 1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. 1.8.0-dev,true,server,server.port,long,core,,,Port of the server. -1.8.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.8.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." 1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,server,server.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. @@ -505,16 +505,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. 1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address. 1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. 1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.8.0-dev,true,source,source.domain,keyword,core,,,Source domain. +1.8.0-dev,true,source,source.domain,wildcard,core,,,Source domain. 1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. 1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source. @@ -523,19 +523,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port 1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. 1.8.0-dev,true,source,source.port,long,core,,,Port of the source. -1.8.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.8.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." 1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,source,source.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. @@ -557,17 +557,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. 1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. 1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.8.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. 1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. 1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. 1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. 1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.8.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.8.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. 1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. 1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. 1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) 1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. 1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. @@ -582,7 +582,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. 1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. 1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. 1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) 1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. 1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. @@ -597,15 +597,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. 1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. 1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.8.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. 1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. 1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. 1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.8.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.8.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. 1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. 1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) 1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. 1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. @@ -620,7 +620,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. 1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. 1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. 1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) 1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. 1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. @@ -630,79 +630,79 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. 1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. 1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.8.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +1.8.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. 1.8.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." 1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.8.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. 1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.8.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. 1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. 1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -1.8.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." +1.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." 1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." 1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -1.8.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.8.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. 1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request. 1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. -1.8.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. -1.8.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user,user.email,keyword,extended,,,User email address. -1.8.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.target.email,keyword,extended,,,User email address. -1.8.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. 1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.8.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.8.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 1.8.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json index c130016bbd..353ba82a15 100644 --- a/generated/elasticsearch/component/agent.json +++ b/generated/elasticsearch/component/agent.json @@ -11,8 +11,7 @@ "build": { "properties": { "original": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json index 5dde7cdb39..31e691aed1 100644 --- a/generated/elasticsearch/component/client.json +++ b/generated/elasticsearch/component/client.json @@ -26,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -37,8 +36,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -62,8 +60,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -99,8 +96,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -117,8 +113,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -127,8 +122,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -161,8 +155,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json index 1a24a18e99..d9e445f419 100644 --- a/generated/elasticsearch/component/destination.json +++ b/generated/elasticsearch/component/destination.json @@ -26,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -37,8 +36,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -62,8 +60,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -99,8 +96,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -117,8 +113,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -127,8 +122,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -161,8 +155,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json index e630a76c71..d1654a2995 100644 --- a/generated/elasticsearch/component/dll.json +++ b/generated/elasticsearch/component/dll.json @@ -80,8 +80,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json index 42d21fc551..15a736a4cf 100644 --- a/generated/elasticsearch/component/dns.json +++ b/generated/elasticsearch/component/dns.json @@ -15,8 +15,7 @@ "type": "keyword" }, "data": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "name": { "ignore_above": 1024, @@ -51,8 +50,7 @@ "type": "keyword" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "registered_domain": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json index d22a07231f..6ed08970ef 100644 --- a/generated/elasticsearch/component/error.json +++ b/generated/elasticsearch/component/error.json @@ -21,20 +21,16 @@ "type": "text" }, "stack_trace": { - "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, - "ignore_above": 1024, - "index": false, - "type": "keyword" + "type": "wildcard" }, "type": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index cf1324a4f2..073dc7959e 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -47,8 +47,7 @@ "type": "keyword" }, "directory": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "drive_letter": { "ignore_above": 1, @@ -116,8 +115,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -142,8 +140,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -161,8 +158,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "type": { "ignore_above": 1024, @@ -189,8 +185,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -251,8 +246,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json index 3dbbb8e51a..de2b9925b0 100644 --- a/generated/elasticsearch/component/host.json +++ b/generated/elasticsearch/component/host.json @@ -38,8 +38,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -52,8 +51,7 @@ } }, "hostname": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "id": { "ignore_above": 1024, @@ -83,8 +81,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -97,8 +94,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, @@ -128,8 +124,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -138,8 +133,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -172,8 +166,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json index 26b934b372..ee434bc3d3 100644 --- a/generated/elasticsearch/component/http.json +++ b/generated/elasticsearch/component/http.json @@ -22,8 +22,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -39,8 +38,7 @@ "type": "keyword" }, "referrer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -58,8 +56,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json index b73467cc7b..79ac511fe0 100644 --- a/generated/elasticsearch/component/log.json +++ b/generated/elasticsearch/component/log.json @@ -11,8 +11,7 @@ "file": { "properties": { "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -21,8 +20,7 @@ "type": "keyword" }, "logger": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "origin": { "properties": { diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json index a4678c7862..f7b5f2fd65 100644 --- a/generated/elasticsearch/component/observer.json +++ b/generated/elasticsearch/component/observer.json @@ -67,8 +67,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -145,8 +144,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -159,8 +157,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json index 8f912778be..c00ed11538 100644 --- a/generated/elasticsearch/component/organization.json +++ b/generated/elasticsearch/component/organization.json @@ -19,8 +19,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index 51f03ac672..472f0029fb 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -43,8 +43,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "entity_id": { "ignore_above": 1024, @@ -57,8 +56,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "exit_code": { "type": "long" @@ -90,8 +88,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "parent": { "properties": { @@ -130,8 +127,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "entity_id": { "ignore_above": 1024, @@ -144,8 +140,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "exit_code": { "type": "long" @@ -177,8 +172,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -203,8 +197,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -230,8 +223,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -242,8 +234,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "uptime": { "type": "long" @@ -255,8 +246,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -283,8 +273,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -310,8 +299,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -322,8 +310,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "uptime": { "type": "long" @@ -335,8 +322,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json index f6dea3211e..db6a8c5ba2 100644 --- a/generated/elasticsearch/component/registry.json +++ b/generated/elasticsearch/component/registry.json @@ -15,8 +15,7 @@ "type": "keyword" }, "strings": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "type": { "ignore_above": 1024, @@ -29,12 +28,10 @@ "type": "keyword" }, "key": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "value": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json index 0d7e1a95ec..7a5940efb4 100644 --- a/generated/elasticsearch/component/server.json +++ b/generated/elasticsearch/component/server.json @@ -26,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -37,8 +36,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -62,8 +60,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -99,8 +96,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -117,8 +113,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -127,8 +122,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -161,8 +155,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json index ae6db3d20f..ae2b85b106 100644 --- a/generated/elasticsearch/component/source.json +++ b/generated/elasticsearch/component/source.json @@ -26,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -37,8 +36,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -62,8 +60,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -99,8 +96,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -117,8 +113,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -127,8 +122,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -161,8 +155,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json index 8eec703977..be3dd91253 100644 --- a/generated/elasticsearch/component/tls.json +++ b/generated/elasticsearch/component/tls.json @@ -39,8 +39,7 @@ } }, "issuer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "ja3": { "ignore_above": 1024, @@ -57,8 +56,7 @@ "type": "keyword" }, "subject": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "supported_ciphers": { "ignore_above": 1024, @@ -81,8 +79,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -143,8 +140,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -213,8 +209,7 @@ } }, "issuer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "ja3s": { "ignore_above": 1024, @@ -227,8 +222,7 @@ "type": "date" }, "subject": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "x509": { "properties": { @@ -247,8 +241,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -309,8 +302,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json index 89cd68c6bd..c50ced4a7d 100644 --- a/generated/elasticsearch/component/url.json +++ b/generated/elasticsearch/component/url.json @@ -9,8 +9,7 @@ "url": { "properties": { "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "extension": { "ignore_above": 1024, @@ -27,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "original": { "fields": { @@ -37,16 +35,14 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "password": { "ignore_above": 1024, "type": "keyword" }, "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "port": { "type": "long" @@ -56,8 +52,7 @@ "type": "keyword" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "scheme": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json index b9c0ca72c3..8a1a714414 100644 --- a/generated/elasticsearch/component/user.json +++ b/generated/elasticsearch/component/user.json @@ -15,8 +15,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -25,8 +24,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -59,8 +57,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -79,8 +76,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -89,8 +85,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -123,8 +118,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -133,8 +127,7 @@ } }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -143,8 +136,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -177,8 +169,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -191,8 +182,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -201,8 +191,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -235,8 +224,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json index 1dfe0dc08e..c45d126c48 100644 --- a/generated/elasticsearch/component/user_agent.json +++ b/generated/elasticsearch/component/user_agent.json @@ -27,8 +27,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "os": { "properties": { @@ -43,8 +42,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -57,8 +55,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024,