update experimental artifacts

experimental/generated/generated/beats/fields.ecs.yml → experimental/generated/beats/fields.ecs.yml

@@ -296,6 +296,20 @@
         list (http://publicsuffix.org). Trying to approximate this by simply taking
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword
@@ -696,6 +710,20 @@
         list (http://publicsuffix.org). Trying to approximate this by simply taking
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword
@@ -917,8 +945,7 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -1297,7 +1324,7 @@
         but it can be retrieved from `_source`.'
       example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|
         worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
-      index: true
+      index: false
     - name: outcome
       level: core
       type: keyword
@@ -1664,8 +1691,7 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -2285,8 +2311,7 @@
       default_field: false
     - name: request.referrer
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Referrer for this HTTP request.
       example: https://blog.example.com/
     - name: response.body.bytes
@@ -2543,11 +2568,17 @@
       type: keyword
       ignore_above: 1024
       description: "Direction of the network traffic.\nRecommended values are:\n \
-        \ * inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen\
-        \ mapping events from a host-based monitoring context, populate this field\
-        \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\
-        \ monitoring context, populate this field from the point of view of your network\
-        \ perimeter."
+        \ * ingress\n  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n\
+        \  * unknown\n\nWhen mapping events from a host-based monitoring context,\
+        \ populate this field from the host's point of view, using the values \"ingress\"\
+        \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\
+        \ context, populate this field from the point of view of the network perimeter,\
+        \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\
+        .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\
+        \ to describe communication between two hosts within the perimeter. Note also\
+        \ that \"external\" is meant to describe traffic between two hosts that are\
+        \ external to the perimeter. This could for example be useful for ISPs or\
+        \ VPN service providers."
       example: inbound
     - name: forwarded_ip
       level: core
@@ -2566,8 +2597,8 @@
       level: extended
       type: object
       description: Network.inner fields are added in addition to network.vlan fields
-        to describe  the innermost VLAN when q-in-q VLAN tagging is present. Allowed
-        fields include  vlan.id and vlan.name. Inner vlan fields are typically used
+        to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
+        fields include vlan.id and vlan.name. Inner vlan fields are typically used
         when sending traffic with multiple 802.1q encapsulations to a network sensor
         (e.g. Zeek, Wireshark.)
       default_field: false
@@ -3138,8 +3169,7 @@
       default_field: false
     - name: original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3290,8 +3320,7 @@
       description: SHA512 hash.
     - name: name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3436,8 +3465,7 @@
       default_field: false
     - name: parent.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3488,8 +3516,7 @@
       default_field: false
     - name: parent.pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3609,8 +3636,7 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -4033,6 +4059,20 @@
         list (http://publicsuffix.org). Trying to approximate this by simply taking
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword
@@ -4348,6 +4388,20 @@
         list (http://publicsuffix.org). Trying to approximate this by simply taking
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword
@@ -5242,6 +5296,20 @@
 
         Note: The `:` is not part of the scheme.'
       example: https
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword