From f66ca6db0e9de75728771e658984f4994a8c23e8 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Wed, 10 Apr 2019 15:57:41 +0100 Subject: [PATCH 1/4] Add `hash.*` field set. --- CHANGELOG.next.md | 1 + Makefile | 2 +- code/go/ecs/hash.go | 71 ++++ docs/field-details.asciidoc | 246 ++++++++++++ docs/fields.asciidoc | 2 + generated/beats/fields.ecs.yml | 246 ++++++++++++ generated/csv/fields.csv | 48 +++ generated/ecs/ecs_flat.yml | 464 +++++++++++++++++++++++ generated/ecs/ecs_nested.yml | 482 ++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 204 ++++++++++ generated/elasticsearch/7/template.json | 204 ++++++++++ generated/legacy/template.json | 68 ++++ schemas/hash.yml | 96 +++++ use-cases/auditbeat.md | 32 +- 14 files changed, 2149 insertions(+), 17 deletions(-) create mode 100644 code/go/ecs/hash.go create mode 100644 schemas/hash.yml diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 887b81797d..40a9b280e7 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -13,6 +13,7 @@ * Generator for the asciidoc rendering of field definitions. #347 * Generator for the Beats fields.ecs.yml file. #379 * Added field formats to all `.bytes` fields and `event.duration`. #385 +* Added `hash.*` field set. #426 * Added `event.code`, `event.sequence` and `event.provider`. #439 * Added `file.name` and `file.directory`. #441 * Added `file.created`, and `file.accessed`. #445 diff --git a/Makefile b/Makefile index 0a38caa173..48f17f75f1 100644 --- a/Makefile +++ b/Makefile @@ -75,7 +75,7 @@ gocodegen: # Generate the Use Cases .PHONY: legacy_use_cases -legacy_use_cases: +legacy_use_cases: ve $(PYTHON) scripts/use-cases.py --stdout=true >> /dev/null # Check Makefile format. diff --git a/code/go/ecs/hash.go b/code/go/ecs/hash.go new file mode 100644 index 0000000000..c0de80127d --- /dev/null +++ b/code/go/ecs/hash.go @@ -0,0 +1,71 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// The hash fields represent different hash algorithms and their values. +type Hash struct { + // BLAKE2b-256 hash. + Blake2b256 string `ecs:"blake2b_256"` + + // BLAKE2b-384 hash. + Blake2b384 string `ecs:"blake2b_384"` + + // BLAKE2b-512 hash. + Blake2b512 string `ecs:"blake2b_512"` + + // MD5 hash. + Md5 string `ecs:"md5"` + + // SHA1 hash. + Sha1 string `ecs:"sha1"` + + // SHA224 hash. + Sha224 string `ecs:"sha224"` + + // SHA256 hash. + Sha256 string `ecs:"sha256"` + + // SHA384 hash. + Sha384 string `ecs:"sha384"` + + // SHA3_224 hash. + Sha3224 string `ecs:"sha3_224"` + + // SHA3_256 hash. + Sha3256 string `ecs:"sha3_256"` + + // SHA3_384 hash. + Sha3384 string `ecs:"sha3_384"` + + // SHA3_512 hash. + Sha3512 string `ecs:"sha3_512"` + + // SHA512 hash. + Sha512 string `ecs:"sha512"` + + // SHA512/224 hash. + Sha512224 string `ecs:"sha512_224"` + + // SHA512/256 hash. + Sha512256 string `ecs:"sha512_256"` + + // XX64 hash. + Xxh64 string `ecs:"xxh64"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 5e671a6a75..bab670461a 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1170,6 +1170,29 @@ example: `1001` // =============================================================== +|===== + +==== Field Reuse + + + + +[[ecs-file-nestings]] +===== Field sets that can be nested under File + +[options="header"] +|===== +| Nested fields | Description + +// =============================================================== + + +| <> +| Hashes, usually file hashes. + +// =============================================================== + + |===== [[ecs-geo]] @@ -1336,6 +1359,206 @@ Note also that the `group` fields may be used directly at the top level. +[[ecs-hash]] +=== Group Fields + +The hash fields represent different hash algorithms and their values. + +==== Group Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| hash.blake2b_256 +| BLAKE2b-256 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.blake2b_384 +| BLAKE2b-384 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.blake2b_512 +| BLAKE2b-512 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.md5 +| MD5 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha1 +| SHA1 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha224 +| SHA224 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha256 +| SHA256 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha384 +| SHA384 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha3_224 +| SHA3_224 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha3_256 +| SHA3_256 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha3_384 +| SHA3_384 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha3_512 +| SHA3_512 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha512 +| SHA512 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha512_224 +| SHA512/224 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.sha512_256 +| SHA512/256 hash. + +type: keyword + + + +| extended + +// =============================================================== + +| hash.xxh64 +| XX64 hash. + +type: keyword + + + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + +The `hash` fields are expected to be nested at: `file.hash`, `process.hash`. + +Note also that the `hash` fields are not expected to be used directly at the top level. + + + + [[ecs-host]] === Host Fields @@ -2200,6 +2423,29 @@ example: `/home/alice` // =============================================================== +|===== + +==== Field Reuse + + + + +[[ecs-process-nestings]] +===== Field sets that can be nested under Process + +[options="header"] +|===== +| Nested fields | Description + +// =============================================================== + + +| <> +| Hashes, usually file hashes. + +// =============================================================== + + |===== [[ecs-related]] diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 1d0e175e75..2436c746e2 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -42,6 +42,8 @@ all fields are defined. | <> | User's group relevant to the event. +| <> | Hashes, usually file hashes. + | <> | Fields describing the relevant computing instance. | <> | Fields describing an HTTP request. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 706be2fe48..1aedc27ee2 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -817,6 +817,86 @@ ignore_above: 1024 description: Primary group name of the file. example: alice + - name: hash.blake2b_256 + level: extended + type: keyword + ignore_above: 1024 + description: BLAKE2b-256 hash. + - name: hash.blake2b_384 + level: extended + type: keyword + ignore_above: 1024 + description: BLAKE2b-384 hash. + - name: hash.blake2b_512 + level: extended + type: keyword + ignore_above: 1024 + description: BLAKE2b-512 hash. + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha224 + level: extended + type: keyword + ignore_above: 1024 + description: SHA224 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha384 + level: extended + type: keyword + ignore_above: 1024 + description: SHA384 hash. + - name: hash.sha3_224 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_224 hash. + - name: hash.sha3_256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_256 hash. + - name: hash.sha3_384 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_384 hash. + - name: hash.sha3_512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_512 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: hash.sha512_224 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512/224 hash. + - name: hash.sha512_256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512/256 hash. + - name: hash.xxh64 + level: extended + type: keyword + ignore_above: 1024 + description: XX64 hash. - name: inode level: extended type: keyword @@ -955,6 +1035,92 @@ type: keyword ignore_above: 1024 description: Name of the group. + - name: hash + title: Group + group: 2 + description: The hash fields represent different hash algorithms and their values. + type: group + fields: + - name: blake2b_256 + level: extended + type: keyword + ignore_above: 1024 + description: BLAKE2b-256 hash. + - name: blake2b_384 + level: extended + type: keyword + ignore_above: 1024 + description: BLAKE2b-384 hash. + - name: blake2b_512 + level: extended + type: keyword + ignore_above: 1024 + description: BLAKE2b-512 hash. + - name: md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: sha224 + level: extended + type: keyword + ignore_above: 1024 + description: SHA224 hash. + - name: sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: sha384 + level: extended + type: keyword + ignore_above: 1024 + description: SHA384 hash. + - name: sha3_224 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_224 hash. + - name: sha3_256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_256 hash. + - name: sha3_384 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_384 hash. + - name: sha3_512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_512 hash. + - name: sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: sha512_224 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512/224 hash. + - name: sha512_256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512/256 hash. + - name: xxh64 + level: extended + type: keyword + ignore_above: 1024 + description: XX64 hash. - name: host title: Host group: 2 @@ -1586,6 +1752,86 @@ ignore_above: 1024 description: Absolute path to the process executable. example: /usr/bin/ssh + - name: hash.blake2b_256 + level: extended + type: keyword + ignore_above: 1024 + description: BLAKE2b-256 hash. + - name: hash.blake2b_384 + level: extended + type: keyword + ignore_above: 1024 + description: BLAKE2b-384 hash. + - name: hash.blake2b_512 + level: extended + type: keyword + ignore_above: 1024 + description: BLAKE2b-512 hash. + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha224 + level: extended + type: keyword + ignore_above: 1024 + description: SHA224 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha384 + level: extended + type: keyword + ignore_above: 1024 + description: SHA384 hash. + - name: hash.sha3_224 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_224 hash. + - name: hash.sha3_256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_256 hash. + - name: hash.sha3_384 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_384 hash. + - name: hash.sha3_512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA3_512 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: hash.sha512_224 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512/224 hash. + - name: hash.sha512_256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512/256 hash. + - name: hash.xxh64 + level: extended + type: keyword + ignore_above: 1024 + description: XX64 hash. - name: name level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index e08e371fe3..8417b68d4d 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -98,6 +98,22 @@ file.directory,keyword,extended,/home/alice,1.1.0-dev file.extension,keyword,extended,png,1.1.0-dev file.gid,keyword,extended,1001,1.1.0-dev file.group,keyword,extended,alice,1.1.0-dev +file.hash.blake2b_256,keyword,extended,,1.1.0-dev +file.hash.blake2b_384,keyword,extended,,1.1.0-dev +file.hash.blake2b_512,keyword,extended,,1.1.0-dev +file.hash.md5,keyword,extended,,1.1.0-dev +file.hash.sha1,keyword,extended,,1.1.0-dev +file.hash.sha224,keyword,extended,,1.1.0-dev +file.hash.sha256,keyword,extended,,1.1.0-dev +file.hash.sha384,keyword,extended,,1.1.0-dev +file.hash.sha3_224,keyword,extended,,1.1.0-dev +file.hash.sha3_256,keyword,extended,,1.1.0-dev +file.hash.sha3_384,keyword,extended,,1.1.0-dev +file.hash.sha3_512,keyword,extended,,1.1.0-dev +file.hash.sha512,keyword,extended,,1.1.0-dev +file.hash.sha512_224,keyword,extended,,1.1.0-dev +file.hash.sha512_256,keyword,extended,,1.1.0-dev +file.hash.xxh64,keyword,extended,,1.1.0-dev file.inode,keyword,extended,256383,1.1.0-dev file.mode,keyword,extended,0640,1.1.0-dev file.mtime,date,extended,,1.1.0-dev @@ -118,6 +134,22 @@ geo.region_iso_code,keyword,core,CA-QC,1.1.0-dev geo.region_name,keyword,core,Quebec,1.1.0-dev group.id,keyword,extended,,1.1.0-dev group.name,keyword,extended,,1.1.0-dev +hash.blake2b_256,keyword,extended,,1.1.0-dev +hash.blake2b_384,keyword,extended,,1.1.0-dev +hash.blake2b_512,keyword,extended,,1.1.0-dev +hash.md5,keyword,extended,,1.1.0-dev +hash.sha1,keyword,extended,,1.1.0-dev +hash.sha224,keyword,extended,,1.1.0-dev +hash.sha256,keyword,extended,,1.1.0-dev +hash.sha384,keyword,extended,,1.1.0-dev +hash.sha3_224,keyword,extended,,1.1.0-dev +hash.sha3_256,keyword,extended,,1.1.0-dev +hash.sha3_384,keyword,extended,,1.1.0-dev +hash.sha3_512,keyword,extended,,1.1.0-dev +hash.sha512,keyword,extended,,1.1.0-dev +hash.sha512_224,keyword,extended,,1.1.0-dev +hash.sha512_256,keyword,extended,,1.1.0-dev +hash.xxh64,keyword,extended,,1.1.0-dev host.architecture,keyword,core,x86_64,1.1.0-dev host.geo.city_name,keyword,core,Montreal,1.1.0-dev host.geo.continent_name,keyword,core,North America,1.1.0-dev @@ -200,6 +232,22 @@ os.platform,keyword,extended,darwin,1.1.0-dev os.version,keyword,extended,10.14.1,1.1.0-dev process.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",1.1.0-dev process.executable,keyword,extended,/usr/bin/ssh,1.1.0-dev +process.hash.blake2b_256,keyword,extended,,1.1.0-dev +process.hash.blake2b_384,keyword,extended,,1.1.0-dev +process.hash.blake2b_512,keyword,extended,,1.1.0-dev +process.hash.md5,keyword,extended,,1.1.0-dev +process.hash.sha1,keyword,extended,,1.1.0-dev +process.hash.sha224,keyword,extended,,1.1.0-dev +process.hash.sha256,keyword,extended,,1.1.0-dev +process.hash.sha384,keyword,extended,,1.1.0-dev +process.hash.sha3_224,keyword,extended,,1.1.0-dev +process.hash.sha3_256,keyword,extended,,1.1.0-dev +process.hash.sha3_384,keyword,extended,,1.1.0-dev +process.hash.sha3_512,keyword,extended,,1.1.0-dev +process.hash.sha512,keyword,extended,,1.1.0-dev +process.hash.sha512_224,keyword,extended,,1.1.0-dev +process.hash.sha512_256,keyword,extended,,1.1.0-dev +process.hash.xxh64,keyword,extended,,1.1.0-dev process.name,keyword,extended,ssh,1.1.0-dev process.pgid,long,extended,,1.1.0-dev process.pid,long,core,,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index bf2c97d5da..c69b7d503c 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1090,6 +1090,166 @@ file.group: order: 11 short: Primary group name of the file. type: keyword +file.hash.blake2b_256: + description: BLAKE2b-256 hash. + flat_name: file.hash.blake2b_256 + ignore_above: 1024 + level: extended + name: blake2b_256 + order: 0 + original_fieldset: hash + short: BLAKE2b-256 hash. + type: keyword +file.hash.blake2b_384: + description: BLAKE2b-384 hash. + flat_name: file.hash.blake2b_384 + ignore_above: 1024 + level: extended + name: blake2b_384 + order: 1 + original_fieldset: hash + short: BLAKE2b-384 hash. + type: keyword +file.hash.blake2b_512: + description: BLAKE2b-512 hash. + flat_name: file.hash.blake2b_512 + ignore_above: 1024 + level: extended + name: blake2b_512 + order: 2 + original_fieldset: hash + short: BLAKE2b-512 hash. + type: keyword +file.hash.md5: + description: MD5 hash. + flat_name: file.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + order: 3 + original_fieldset: hash + short: MD5 hash. + type: keyword +file.hash.sha1: + description: SHA1 hash. + flat_name: file.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + order: 4 + original_fieldset: hash + short: SHA1 hash. + type: keyword +file.hash.sha224: + description: SHA224 hash. + flat_name: file.hash.sha224 + ignore_above: 1024 + level: extended + name: sha224 + order: 5 + original_fieldset: hash + short: SHA224 hash. + type: keyword +file.hash.sha256: + description: SHA256 hash. + flat_name: file.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + order: 6 + original_fieldset: hash + short: SHA256 hash. + type: keyword +file.hash.sha384: + description: SHA384 hash. + flat_name: file.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + order: 7 + original_fieldset: hash + short: SHA384 hash. + type: keyword +file.hash.sha3_224: + description: SHA3_224 hash. + flat_name: file.hash.sha3_224 + ignore_above: 1024 + level: extended + name: sha3_224 + order: 8 + original_fieldset: hash + short: SHA3_224 hash. + type: keyword +file.hash.sha3_256: + description: SHA3_256 hash. + flat_name: file.hash.sha3_256 + ignore_above: 1024 + level: extended + name: sha3_256 + order: 9 + original_fieldset: hash + short: SHA3_256 hash. + type: keyword +file.hash.sha3_384: + description: SHA3_384 hash. + flat_name: file.hash.sha3_384 + ignore_above: 1024 + level: extended + name: sha3_384 + order: 10 + original_fieldset: hash + short: SHA3_384 hash. + type: keyword +file.hash.sha3_512: + description: SHA3_512 hash. + flat_name: file.hash.sha3_512 + ignore_above: 1024 + level: extended + name: sha3_512 + order: 11 + original_fieldset: hash + short: SHA3_512 hash. + type: keyword +file.hash.sha512: + description: SHA512 hash. + flat_name: file.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + order: 12 + original_fieldset: hash + short: SHA512 hash. + type: keyword +file.hash.sha512_224: + description: SHA512/224 hash. + flat_name: file.hash.sha512_224 + ignore_above: 1024 + level: extended + name: sha512_224 + order: 13 + original_fieldset: hash + short: SHA512/224 hash. + type: keyword +file.hash.sha512_256: + description: SHA512/256 hash. + flat_name: file.hash.sha512_256 + ignore_above: 1024 + level: extended + name: sha512_256 + order: 14 + original_fieldset: hash + short: SHA512/256 hash. + type: keyword +file.hash.xxh64: + description: XX64 hash. + flat_name: file.hash.xxh64 + ignore_above: 1024 + level: extended + name: xxh64 + order: 15 + original_fieldset: hash + short: XX64 hash. + type: keyword file.inode: description: Inode representing the file in the filesystem. example: '256383' @@ -1291,6 +1451,150 @@ group.name: order: 1 short: Name of the group. type: keyword +hash.blake2b_256: + description: BLAKE2b-256 hash. + flat_name: hash.blake2b_256 + ignore_above: 1024 + level: extended + name: blake2b_256 + order: 0 + short: BLAKE2b-256 hash. + type: keyword +hash.blake2b_384: + description: BLAKE2b-384 hash. + flat_name: hash.blake2b_384 + ignore_above: 1024 + level: extended + name: blake2b_384 + order: 1 + short: BLAKE2b-384 hash. + type: keyword +hash.blake2b_512: + description: BLAKE2b-512 hash. + flat_name: hash.blake2b_512 + ignore_above: 1024 + level: extended + name: blake2b_512 + order: 2 + short: BLAKE2b-512 hash. + type: keyword +hash.md5: + description: MD5 hash. + flat_name: hash.md5 + ignore_above: 1024 + level: extended + name: md5 + order: 3 + short: MD5 hash. + type: keyword +hash.sha1: + description: SHA1 hash. + flat_name: hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + order: 4 + short: SHA1 hash. + type: keyword +hash.sha224: + description: SHA224 hash. + flat_name: hash.sha224 + ignore_above: 1024 + level: extended + name: sha224 + order: 5 + short: SHA224 hash. + type: keyword +hash.sha256: + description: SHA256 hash. + flat_name: hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + order: 6 + short: SHA256 hash. + type: keyword +hash.sha384: + description: SHA384 hash. + flat_name: hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + order: 7 + short: SHA384 hash. + type: keyword +hash.sha3_224: + description: SHA3_224 hash. + flat_name: hash.sha3_224 + ignore_above: 1024 + level: extended + name: sha3_224 + order: 8 + short: SHA3_224 hash. + type: keyword +hash.sha3_256: + description: SHA3_256 hash. + flat_name: hash.sha3_256 + ignore_above: 1024 + level: extended + name: sha3_256 + order: 9 + short: SHA3_256 hash. + type: keyword +hash.sha3_384: + description: SHA3_384 hash. + flat_name: hash.sha3_384 + ignore_above: 1024 + level: extended + name: sha3_384 + order: 10 + short: SHA3_384 hash. + type: keyword +hash.sha3_512: + description: SHA3_512 hash. + flat_name: hash.sha3_512 + ignore_above: 1024 + level: extended + name: sha3_512 + order: 11 + short: SHA3_512 hash. + type: keyword +hash.sha512: + description: SHA512 hash. + flat_name: hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + order: 12 + short: SHA512 hash. + type: keyword +hash.sha512_224: + description: SHA512/224 hash. + flat_name: hash.sha512_224 + ignore_above: 1024 + level: extended + name: sha512_224 + order: 13 + short: SHA512/224 hash. + type: keyword +hash.sha512_256: + description: SHA512/256 hash. + flat_name: hash.sha512_256 + ignore_above: 1024 + level: extended + name: sha512_256 + order: 14 + short: SHA512/256 hash. + type: keyword +hash.xxh64: + description: XX64 hash. + flat_name: hash.xxh64 + ignore_above: 1024 + level: extended + name: xxh64 + order: 15 + short: XX64 hash. + type: keyword host.architecture: description: Operating system architecture. example: x86_64 @@ -2240,6 +2544,166 @@ process.executable: order: 5 short: Absolute path to the process executable. type: keyword +process.hash.blake2b_256: + description: BLAKE2b-256 hash. + flat_name: process.hash.blake2b_256 + ignore_above: 1024 + level: extended + name: blake2b_256 + order: 0 + original_fieldset: hash + short: BLAKE2b-256 hash. + type: keyword +process.hash.blake2b_384: + description: BLAKE2b-384 hash. + flat_name: process.hash.blake2b_384 + ignore_above: 1024 + level: extended + name: blake2b_384 + order: 1 + original_fieldset: hash + short: BLAKE2b-384 hash. + type: keyword +process.hash.blake2b_512: + description: BLAKE2b-512 hash. + flat_name: process.hash.blake2b_512 + ignore_above: 1024 + level: extended + name: blake2b_512 + order: 2 + original_fieldset: hash + short: BLAKE2b-512 hash. + type: keyword +process.hash.md5: + description: MD5 hash. + flat_name: process.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + order: 3 + original_fieldset: hash + short: MD5 hash. + type: keyword +process.hash.sha1: + description: SHA1 hash. + flat_name: process.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + order: 4 + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.hash.sha224: + description: SHA224 hash. + flat_name: process.hash.sha224 + ignore_above: 1024 + level: extended + name: sha224 + order: 5 + original_fieldset: hash + short: SHA224 hash. + type: keyword +process.hash.sha256: + description: SHA256 hash. + flat_name: process.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + order: 6 + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.hash.sha384: + description: SHA384 hash. + flat_name: process.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + order: 7 + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.hash.sha3_224: + description: SHA3_224 hash. + flat_name: process.hash.sha3_224 + ignore_above: 1024 + level: extended + name: sha3_224 + order: 8 + original_fieldset: hash + short: SHA3_224 hash. + type: keyword +process.hash.sha3_256: + description: SHA3_256 hash. + flat_name: process.hash.sha3_256 + ignore_above: 1024 + level: extended + name: sha3_256 + order: 9 + original_fieldset: hash + short: SHA3_256 hash. + type: keyword +process.hash.sha3_384: + description: SHA3_384 hash. + flat_name: process.hash.sha3_384 + ignore_above: 1024 + level: extended + name: sha3_384 + order: 10 + original_fieldset: hash + short: SHA3_384 hash. + type: keyword +process.hash.sha3_512: + description: SHA3_512 hash. + flat_name: process.hash.sha3_512 + ignore_above: 1024 + level: extended + name: sha3_512 + order: 11 + original_fieldset: hash + short: SHA3_512 hash. + type: keyword +process.hash.sha512: + description: SHA512 hash. + flat_name: process.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + order: 12 + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.hash.sha512_224: + description: SHA512/224 hash. + flat_name: process.hash.sha512_224 + ignore_above: 1024 + level: extended + name: sha512_224 + order: 13 + original_fieldset: hash + short: SHA512/224 hash. + type: keyword +process.hash.sha512_256: + description: SHA512/256 hash. + flat_name: process.hash.sha512_256 + ignore_above: 1024 + level: extended + name: sha512_256 + order: 14 + original_fieldset: hash + short: SHA512/256 hash. + type: keyword +process.hash.xxh64: + description: XX64 hash. + flat_name: process.hash.xxh64 + ignore_above: 1024 + level: extended + name: xxh64 + order: 15 + original_fieldset: hash + short: XX64 hash. + type: keyword process.name: description: 'Process name. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a2299e7ac1..8ddfffe348 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1281,6 +1281,166 @@ file: order: 11 short: Primary group name of the file. type: keyword + hash.blake2b_256: + description: BLAKE2b-256 hash. + flat_name: file.hash.blake2b_256 + ignore_above: 1024 + level: extended + name: blake2b_256 + order: 0 + original_fieldset: hash + short: BLAKE2b-256 hash. + type: keyword + hash.blake2b_384: + description: BLAKE2b-384 hash. + flat_name: file.hash.blake2b_384 + ignore_above: 1024 + level: extended + name: blake2b_384 + order: 1 + original_fieldset: hash + short: BLAKE2b-384 hash. + type: keyword + hash.blake2b_512: + description: BLAKE2b-512 hash. + flat_name: file.hash.blake2b_512 + ignore_above: 1024 + level: extended + name: blake2b_512 + order: 2 + original_fieldset: hash + short: BLAKE2b-512 hash. + type: keyword + hash.md5: + description: MD5 hash. + flat_name: file.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + order: 3 + original_fieldset: hash + short: MD5 hash. + type: keyword + hash.sha1: + description: SHA1 hash. + flat_name: file.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + order: 4 + original_fieldset: hash + short: SHA1 hash. + type: keyword + hash.sha224: + description: SHA224 hash. + flat_name: file.hash.sha224 + ignore_above: 1024 + level: extended + name: sha224 + order: 5 + original_fieldset: hash + short: SHA224 hash. + type: keyword + hash.sha256: + description: SHA256 hash. + flat_name: file.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + order: 6 + original_fieldset: hash + short: SHA256 hash. + type: keyword + hash.sha384: + description: SHA384 hash. + flat_name: file.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + order: 7 + original_fieldset: hash + short: SHA384 hash. + type: keyword + hash.sha3_224: + description: SHA3_224 hash. + flat_name: file.hash.sha3_224 + ignore_above: 1024 + level: extended + name: sha3_224 + order: 8 + original_fieldset: hash + short: SHA3_224 hash. + type: keyword + hash.sha3_256: + description: SHA3_256 hash. + flat_name: file.hash.sha3_256 + ignore_above: 1024 + level: extended + name: sha3_256 + order: 9 + original_fieldset: hash + short: SHA3_256 hash. + type: keyword + hash.sha3_384: + description: SHA3_384 hash. + flat_name: file.hash.sha3_384 + ignore_above: 1024 + level: extended + name: sha3_384 + order: 10 + original_fieldset: hash + short: SHA3_384 hash. + type: keyword + hash.sha3_512: + description: SHA3_512 hash. + flat_name: file.hash.sha3_512 + ignore_above: 1024 + level: extended + name: sha3_512 + order: 11 + original_fieldset: hash + short: SHA3_512 hash. + type: keyword + hash.sha512: + description: SHA512 hash. + flat_name: file.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + order: 12 + original_fieldset: hash + short: SHA512 hash. + type: keyword + hash.sha512_224: + description: SHA512/224 hash. + flat_name: file.hash.sha512_224 + ignore_above: 1024 + level: extended + name: sha512_224 + order: 13 + original_fieldset: hash + short: SHA512/224 hash. + type: keyword + hash.sha512_256: + description: SHA512/256 hash. + flat_name: file.hash.sha512_256 + ignore_above: 1024 + level: extended + name: sha512_256 + order: 14 + original_fieldset: hash + short: SHA512/256 hash. + type: keyword + hash.xxh64: + description: XX64 hash. + flat_name: file.hash.xxh64 + ignore_above: 1024 + level: extended + name: xxh64 + order: 15 + original_fieldset: hash + short: XX64 hash. + type: keyword inode: description: Inode representing the file in the filesystem. example: '256383' @@ -1381,6 +1541,8 @@ file: type: keyword group: 2 name: file + nestings: + - hash prefix: file. short: Fields describing files. title: File @@ -1524,6 +1686,164 @@ group: short: User's group relevant to the event. title: Group type: group +hash: + description: The hash fields represent different hash algorithms and their values. + fields: + blake2b_256: + description: BLAKE2b-256 hash. + flat_name: hash.blake2b_256 + ignore_above: 1024 + level: extended + name: blake2b_256 + order: 0 + short: BLAKE2b-256 hash. + type: keyword + blake2b_384: + description: BLAKE2b-384 hash. + flat_name: hash.blake2b_384 + ignore_above: 1024 + level: extended + name: blake2b_384 + order: 1 + short: BLAKE2b-384 hash. + type: keyword + blake2b_512: + description: BLAKE2b-512 hash. + flat_name: hash.blake2b_512 + ignore_above: 1024 + level: extended + name: blake2b_512 + order: 2 + short: BLAKE2b-512 hash. + type: keyword + md5: + description: MD5 hash. + flat_name: hash.md5 + ignore_above: 1024 + level: extended + name: md5 + order: 3 + short: MD5 hash. + type: keyword + sha1: + description: SHA1 hash. + flat_name: hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + order: 4 + short: SHA1 hash. + type: keyword + sha224: + description: SHA224 hash. + flat_name: hash.sha224 + ignore_above: 1024 + level: extended + name: sha224 + order: 5 + short: SHA224 hash. + type: keyword + sha256: + description: SHA256 hash. + flat_name: hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + order: 6 + short: SHA256 hash. + type: keyword + sha384: + description: SHA384 hash. + flat_name: hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + order: 7 + short: SHA384 hash. + type: keyword + sha3_224: + description: SHA3_224 hash. + flat_name: hash.sha3_224 + ignore_above: 1024 + level: extended + name: sha3_224 + order: 8 + short: SHA3_224 hash. + type: keyword + sha3_256: + description: SHA3_256 hash. + flat_name: hash.sha3_256 + ignore_above: 1024 + level: extended + name: sha3_256 + order: 9 + short: SHA3_256 hash. + type: keyword + sha3_384: + description: SHA3_384 hash. + flat_name: hash.sha3_384 + ignore_above: 1024 + level: extended + name: sha3_384 + order: 10 + short: SHA3_384 hash. + type: keyword + sha3_512: + description: SHA3_512 hash. + flat_name: hash.sha3_512 + ignore_above: 1024 + level: extended + name: sha3_512 + order: 11 + short: SHA3_512 hash. + type: keyword + sha512: + description: SHA512 hash. + flat_name: hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + order: 12 + short: SHA512 hash. + type: keyword + sha512_224: + description: SHA512/224 hash. + flat_name: hash.sha512_224 + ignore_above: 1024 + level: extended + name: sha512_224 + order: 13 + short: SHA512/224 hash. + type: keyword + sha512_256: + description: SHA512/256 hash. + flat_name: hash.sha512_256 + ignore_above: 1024 + level: extended + name: sha512_256 + order: 14 + short: SHA512/256 hash. + type: keyword + xxh64: + description: XX64 hash. + flat_name: hash.xxh64 + ignore_above: 1024 + level: extended + name: xxh64 + order: 15 + short: XX64 hash. + type: keyword + group: 2 + name: hash + prefix: hash. + reusable: + expected: + - file + - process + top_level: false + short: Hashes, usually file hashes. + title: Group + type: group host: description: 'A host is defined as a general computing instance. @@ -2552,6 +2872,166 @@ process: order: 5 short: Absolute path to the process executable. type: keyword + hash.blake2b_256: + description: BLAKE2b-256 hash. + flat_name: process.hash.blake2b_256 + ignore_above: 1024 + level: extended + name: blake2b_256 + order: 0 + original_fieldset: hash + short: BLAKE2b-256 hash. + type: keyword + hash.blake2b_384: + description: BLAKE2b-384 hash. + flat_name: process.hash.blake2b_384 + ignore_above: 1024 + level: extended + name: blake2b_384 + order: 1 + original_fieldset: hash + short: BLAKE2b-384 hash. + type: keyword + hash.blake2b_512: + description: BLAKE2b-512 hash. + flat_name: process.hash.blake2b_512 + ignore_above: 1024 + level: extended + name: blake2b_512 + order: 2 + original_fieldset: hash + short: BLAKE2b-512 hash. + type: keyword + hash.md5: + description: MD5 hash. + flat_name: process.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + order: 3 + original_fieldset: hash + short: MD5 hash. + type: keyword + hash.sha1: + description: SHA1 hash. + flat_name: process.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + order: 4 + original_fieldset: hash + short: SHA1 hash. + type: keyword + hash.sha224: + description: SHA224 hash. + flat_name: process.hash.sha224 + ignore_above: 1024 + level: extended + name: sha224 + order: 5 + original_fieldset: hash + short: SHA224 hash. + type: keyword + hash.sha256: + description: SHA256 hash. + flat_name: process.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + order: 6 + original_fieldset: hash + short: SHA256 hash. + type: keyword + hash.sha384: + description: SHA384 hash. + flat_name: process.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + order: 7 + original_fieldset: hash + short: SHA384 hash. + type: keyword + hash.sha3_224: + description: SHA3_224 hash. + flat_name: process.hash.sha3_224 + ignore_above: 1024 + level: extended + name: sha3_224 + order: 8 + original_fieldset: hash + short: SHA3_224 hash. + type: keyword + hash.sha3_256: + description: SHA3_256 hash. + flat_name: process.hash.sha3_256 + ignore_above: 1024 + level: extended + name: sha3_256 + order: 9 + original_fieldset: hash + short: SHA3_256 hash. + type: keyword + hash.sha3_384: + description: SHA3_384 hash. + flat_name: process.hash.sha3_384 + ignore_above: 1024 + level: extended + name: sha3_384 + order: 10 + original_fieldset: hash + short: SHA3_384 hash. + type: keyword + hash.sha3_512: + description: SHA3_512 hash. + flat_name: process.hash.sha3_512 + ignore_above: 1024 + level: extended + name: sha3_512 + order: 11 + original_fieldset: hash + short: SHA3_512 hash. + type: keyword + hash.sha512: + description: SHA512 hash. + flat_name: process.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + order: 12 + original_fieldset: hash + short: SHA512 hash. + type: keyword + hash.sha512_224: + description: SHA512/224 hash. + flat_name: process.hash.sha512_224 + ignore_above: 1024 + level: extended + name: sha512_224 + order: 13 + original_fieldset: hash + short: SHA512/224 hash. + type: keyword + hash.sha512_256: + description: SHA512/256 hash. + flat_name: process.hash.sha512_256 + ignore_above: 1024 + level: extended + name: sha512_256 + order: 14 + original_fieldset: hash + short: SHA512/256 hash. + type: keyword + hash.xxh64: + description: XX64 hash. + flat_name: process.hash.xxh64 + ignore_above: 1024 + level: extended + name: xxh64 + order: 15 + original_fieldset: hash + short: XX64 hash. + type: keyword name: description: 'Process name. @@ -2635,6 +3115,8 @@ process: type: keyword group: 2 name: process + nestings: + - hash prefix: process. short: These fields contain information about a process. title: Process diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 8eba7e5a10..01776ab183 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -457,6 +457,74 @@ "ignore_above": 1024, "type": "keyword" }, + "hash": { + "properties": { + "blake2b_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "xxh64": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "inode": { "ignore_above": 1024, "type": "keyword" @@ -544,6 +612,74 @@ } } }, + "hash": { + "properties": { + "blake2b_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "xxh64": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "host": { "properties": { "architecture": { @@ -939,6 +1075,74 @@ "ignore_above": 1024, "type": "keyword" }, + "hash": { + "properties": { + "blake2b_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "xxh64": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "name": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 1b2a131a5a..622673a6fc 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -456,6 +456,74 @@ "ignore_above": 1024, "type": "keyword" }, + "hash": { + "properties": { + "blake2b_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "xxh64": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "inode": { "ignore_above": 1024, "type": "keyword" @@ -543,6 +611,74 @@ } } }, + "hash": { + "properties": { + "blake2b_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "xxh64": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "host": { "properties": { "architecture": { @@ -938,6 +1074,74 @@ "ignore_above": 1024, "type": "keyword" }, + "hash": { + "properties": { + "blake2b_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "xxh64": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "name": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/legacy/template.json b/generated/legacy/template.json index 99fab95af0..d86e559d09 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -402,6 +402,74 @@ } } }, + "hash": { + "properties": { + "blake2b_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "blake2b_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha3_512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_224": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512_256": { + "ignore_above": 1024, + "type": "keyword" + }, + "xxh64": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "host": { "properties": { "architecture": { diff --git a/schemas/hash.yml b/schemas/hash.yml new file mode 100644 index 0000000000..46aa7921b5 --- /dev/null +++ b/schemas/hash.yml @@ -0,0 +1,96 @@ +--- +- name: hash + title: Group + group: 2 + type: group + short: Hashes, usually file hashes. + description: > + The hash fields represent different hash algorithms and their values. + + reusable: + top_level: false + expected: + - file + - process + + fields: + + - name: blake2b_256 + level: extended + type: keyword + description: BLAKE2b-256 hash. + + - name: blake2b_384 + level: extended + type: keyword + description: BLAKE2b-384 hash. + + - name: blake2b_512 + level: extended + type: keyword + description: BLAKE2b-512 hash. + + - name: md5 + level: extended + type: keyword + description: MD5 hash. + + - name: sha1 + level: extended + type: keyword + description: SHA1 hash. + + - name: sha224 + level: extended + type: keyword + description: SHA224 hash. + + - name: sha256 + level: extended + type: keyword + description: SHA256 hash. + + - name: sha384 + level: extended + type: keyword + description: SHA384 hash. + + - name: sha3_224 + level: extended + type: keyword + description: SHA3_224 hash. + + - name: sha3_256 + level: extended + type: keyword + description: SHA3_256 hash. + + - name: sha3_384 + level: extended + type: keyword + description: SHA3_384 hash. + + - name: sha3_512 + level: extended + type: keyword + description: SHA3_512 hash. + + - name: sha512 + level: extended + type: keyword + description: SHA512 hash. + + - name: sha512_224 + level: extended + type: keyword + description: SHA512/224 hash. + + - name: sha512_256 + level: extended + type: keyword + description: SHA512/256 hash. + + - name: xxh64 + level: extended + type: keyword + description: XX64 hash. diff --git a/use-cases/auditbeat.md b/use-cases/auditbeat.md index 4af02b6e86..779f6a9f76 100644 --- a/use-cases/auditbeat.md +++ b/use-cases/auditbeat.md @@ -23,22 +23,22 @@ ECS usage in Auditbeat. | [file.mtime](../README.md#file.mtime) | The last modified time of the file (time when content was modified). | extended | date | | | [file.ctime](../README.md#file.ctime) | The last change time of the file (time when metadata was changed). | extended | date | | | *hash.** | *Hash fields used in Auditbeat.
The hash field contains cryptographic hashes of data associated with the event (such as a file). The keys are names of cryptographic algorithms. The values are encoded as hexidecimal (lower-case).
All fields in user can have one or multiple entries.
* | | | | -| *hash.blake2b_256* | *BLAKE2b-256 hash of the file.* | (use case) | keyword | | -| *hash.blake2b_384* | *BLAKE2b-384 hash of the file.* | (use case) | keyword | | -| *hash.blake2b_512* | *BLAKE2b-512 hash of the file.* | (use case) | keyword | | -| *hash.md5* | *MD5 hash.* | (use case) | keyword | | -| *hash.sha1* | *SHA-1 hash.* | (use case) | keyword | | -| *hash.sha224* | *SHA-224 hash (SHA-2 family).* | (use case) | keyword | | -| *hash.sha256* | *SHA-256 hash (SHA-2 family).* | (use case) | keyword | | -| *hash.sha384* | *SHA-384 hash (SHA-2 family).* | (use case) | keyword | | -| *hash.sha512* | *SHA-512 hash (SHA-2 family).* | (use case) | keyword | | -| *hash.sha512_224* | *SHA-512/224 hash (SHA-2 family).* | (use case) | keyword | | -| *hash.sha512_256* | *SHA-512/256 hash (SHA-2 family).* | (use case) | keyword | | -| *hash.sha3_224* | *SHA3-224 hash (SHA-3 family).* | (use case) | keyword | | -| *hash.sha3_256* | *SHA3-256 hash (SHA-3 family).* | (use case) | keyword | | -| *hash.sha3_384* | *SHA3-384 hash (SHA-3 family).* | (use case) | keyword | | -| *hash.sha3_512* | *SHA3-512 hash (SHA-3 family).* | (use case) | keyword | | -| *hash.xxh64* | *XX64 hash of the file.* | (use case) | keyword | | +| [hash.blake2b_256](../README.md#hash.blake2b_256) | BLAKE2b-256 hash of the file. | extended | keyword | | +| [hash.blake2b_384](../README.md#hash.blake2b_384) | BLAKE2b-384 hash of the file. | extended | keyword | | +| [hash.blake2b_512](../README.md#hash.blake2b_512) | BLAKE2b-512 hash of the file. | extended | keyword | | +| [hash.md5](../README.md#hash.md5) | MD5 hash. | extended | keyword | | +| [hash.sha1](../README.md#hash.sha1) | SHA-1 hash. | extended | keyword | | +| [hash.sha224](../README.md#hash.sha224) | SHA-224 hash (SHA-2 family). | extended | keyword | | +| [hash.sha256](../README.md#hash.sha256) | SHA-256 hash (SHA-2 family). | extended | keyword | | +| [hash.sha384](../README.md#hash.sha384) | SHA-384 hash (SHA-2 family). | extended | keyword | | +| [hash.sha512](../README.md#hash.sha512) | SHA-512 hash (SHA-2 family). | extended | keyword | | +| [hash.sha512_224](../README.md#hash.sha512_224) | SHA-512/224 hash (SHA-2 family). | extended | keyword | | +| [hash.sha512_256](../README.md#hash.sha512_256) | SHA-512/256 hash (SHA-2 family). | extended | keyword | | +| [hash.sha3_224](../README.md#hash.sha3_224) | SHA3-224 hash (SHA-3 family). | extended | keyword | | +| [hash.sha3_256](../README.md#hash.sha3_256) | SHA3-256 hash (SHA-3 family). | extended | keyword | | +| [hash.sha3_384](../README.md#hash.sha3_384) | SHA3-384 hash (SHA-3 family). | extended | keyword | | +| [hash.sha3_512](../README.md#hash.sha3_512) | SHA3-512 hash (SHA-3 family). | extended | keyword | | +| [hash.xxh64](../README.md#hash.xxh64) | XX64 hash of the file. | extended | keyword | | From cb8fb60503cb25befabdf79e8ec9ea9551e20019 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Mon, 20 May 2019 12:41:45 -0700 Subject: [PATCH 2/4] Document how to customize with more hash fields. --- code/go/ecs/hash.go | 3 +++ docs/field-details.asciidoc | 2 ++ generated/beats/fields.ecs.yml | 6 +++++- generated/ecs/ecs_nested.yml | 6 +++++- schemas/hash.yml | 3 +++ 5 files changed, 18 insertions(+), 2 deletions(-) diff --git a/code/go/ecs/hash.go b/code/go/ecs/hash.go index c0de80127d..a0dc758d04 100644 --- a/code/go/ecs/hash.go +++ b/code/go/ecs/hash.go @@ -20,6 +20,9 @@ package ecs // The hash fields represent different hash algorithms and their values. +// Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields +// for other hashes by lowercasing the hash algorithm and using underscore +// separators as appropriate (snake case). type Hash struct { // BLAKE2b-256 hash. Blake2b256 string `ecs:"blake2b_256"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index bab670461a..576feeca2f 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1364,6 +1364,8 @@ Note also that the `group` fields may be used directly at the top level. The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm and using underscore separators as appropriate (snake case). + ==== Group Field Details [options="header"] diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 1aedc27ee2..91342a0e84 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1038,7 +1038,11 @@ - name: hash title: Group group: 2 - description: The hash fields represent different hash algorithms and their values. + description: 'The hash fields represent different hash algorithms and their values. + + Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for + other hashes by lowercasing the hash algorithm and using underscore separators + as appropriate (snake case).' type: group fields: - name: blake2b_256 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 8ddfffe348..a60c5944c5 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1687,7 +1687,11 @@ group: title: Group type: group hash: - description: The hash fields represent different hash algorithms and their values. + description: 'The hash fields represent different hash algorithms and their values. + + Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for + other hashes by lowercasing the hash algorithm and using underscore separators + as appropriate (snake case).' fields: blake2b_256: description: BLAKE2b-256 hash. diff --git a/schemas/hash.yml b/schemas/hash.yml index 46aa7921b5..2bdac37ae4 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -7,6 +7,9 @@ description: > The hash fields represent different hash algorithms and their values. + Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes + by lowercasing the hash algorithm and using underscore separators as appropriate (snake case). + reusable: top_level: false expected: From 203f9d170abe5087fac7585a004d70f52afeb318 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Mon, 20 May 2019 12:42:58 -0700 Subject: [PATCH 3/4] Trim list down to most common hashes. --- code/go/ecs/hash.go | 36 --- docs/field-details.asciidoc | 132 --------- generated/beats/fields.ecs.yml | 180 ------------ generated/csv/fields.csv | 36 --- generated/ecs/ecs_flat.yml | 372 +----------------------- generated/ecs/ecs_nested.yml | 372 +----------------------- generated/elasticsearch/6/template.json | 144 --------- generated/elasticsearch/7/template.json | 144 --------- generated/legacy/template.json | 48 --- schemas/hash.yml | 60 ---- use-cases/auditbeat.md | 24 +- 11 files changed, 36 insertions(+), 1512 deletions(-) diff --git a/code/go/ecs/hash.go b/code/go/ecs/hash.go index a0dc758d04..1cb82c98c1 100644 --- a/code/go/ecs/hash.go +++ b/code/go/ecs/hash.go @@ -24,51 +24,15 @@ package ecs // for other hashes by lowercasing the hash algorithm and using underscore // separators as appropriate (snake case). type Hash struct { - // BLAKE2b-256 hash. - Blake2b256 string `ecs:"blake2b_256"` - - // BLAKE2b-384 hash. - Blake2b384 string `ecs:"blake2b_384"` - - // BLAKE2b-512 hash. - Blake2b512 string `ecs:"blake2b_512"` - // MD5 hash. Md5 string `ecs:"md5"` // SHA1 hash. Sha1 string `ecs:"sha1"` - // SHA224 hash. - Sha224 string `ecs:"sha224"` - // SHA256 hash. Sha256 string `ecs:"sha256"` - // SHA384 hash. - Sha384 string `ecs:"sha384"` - - // SHA3_224 hash. - Sha3224 string `ecs:"sha3_224"` - - // SHA3_256 hash. - Sha3256 string `ecs:"sha3_256"` - - // SHA3_384 hash. - Sha3384 string `ecs:"sha3_384"` - - // SHA3_512 hash. - Sha3512 string `ecs:"sha3_512"` - // SHA512 hash. Sha512 string `ecs:"sha512"` - - // SHA512/224 hash. - Sha512224 string `ecs:"sha512_224"` - - // SHA512/256 hash. - Sha512256 string `ecs:"sha512_256"` - - // XX64 hash. - Xxh64 string `ecs:"xxh64"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 576feeca2f..739f308539 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1374,39 +1374,6 @@ Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for ot // =============================================================== -| hash.blake2b_256 -| BLAKE2b-256 hash. - -type: keyword - - - -| extended - -// =============================================================== - -| hash.blake2b_384 -| BLAKE2b-384 hash. - -type: keyword - - - -| extended - -// =============================================================== - -| hash.blake2b_512 -| BLAKE2b-512 hash. - -type: keyword - - - -| extended - -// =============================================================== - | hash.md5 | MD5 hash. @@ -1425,17 +1392,6 @@ type: keyword -| extended - -// =============================================================== - -| hash.sha224 -| SHA224 hash. - -type: keyword - - - | extended // =============================================================== @@ -1447,61 +1403,6 @@ type: keyword -| extended - -// =============================================================== - -| hash.sha384 -| SHA384 hash. - -type: keyword - - - -| extended - -// =============================================================== - -| hash.sha3_224 -| SHA3_224 hash. - -type: keyword - - - -| extended - -// =============================================================== - -| hash.sha3_256 -| SHA3_256 hash. - -type: keyword - - - -| extended - -// =============================================================== - -| hash.sha3_384 -| SHA3_384 hash. - -type: keyword - - - -| extended - -// =============================================================== - -| hash.sha3_512 -| SHA3_512 hash. - -type: keyword - - - | extended // =============================================================== @@ -1513,39 +1414,6 @@ type: keyword -| extended - -// =============================================================== - -| hash.sha512_224 -| SHA512/224 hash. - -type: keyword - - - -| extended - -// =============================================================== - -| hash.sha512_256 -| SHA512/256 hash. - -type: keyword - - - -| extended - -// =============================================================== - -| hash.xxh64 -| XX64 hash. - -type: keyword - - - | extended // =============================================================== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 91342a0e84..c052a689f1 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -817,21 +817,6 @@ ignore_above: 1024 description: Primary group name of the file. example: alice - - name: hash.blake2b_256 - level: extended - type: keyword - ignore_above: 1024 - description: BLAKE2b-256 hash. - - name: hash.blake2b_384 - level: extended - type: keyword - ignore_above: 1024 - description: BLAKE2b-384 hash. - - name: hash.blake2b_512 - level: extended - type: keyword - ignore_above: 1024 - description: BLAKE2b-512 hash. - name: hash.md5 level: extended type: keyword @@ -842,61 +827,16 @@ type: keyword ignore_above: 1024 description: SHA1 hash. - - name: hash.sha224 - level: extended - type: keyword - ignore_above: 1024 - description: SHA224 hash. - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - - name: hash.sha384 - level: extended - type: keyword - ignore_above: 1024 - description: SHA384 hash. - - name: hash.sha3_224 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_224 hash. - - name: hash.sha3_256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_256 hash. - - name: hash.sha3_384 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_384 hash. - - name: hash.sha3_512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_512 hash. - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - - name: hash.sha512_224 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512/224 hash. - - name: hash.sha512_256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512/256 hash. - - name: hash.xxh64 - level: extended - type: keyword - ignore_above: 1024 - description: XX64 hash. - name: inode level: extended type: keyword @@ -1045,21 +985,6 @@ as appropriate (snake case).' type: group fields: - - name: blake2b_256 - level: extended - type: keyword - ignore_above: 1024 - description: BLAKE2b-256 hash. - - name: blake2b_384 - level: extended - type: keyword - ignore_above: 1024 - description: BLAKE2b-384 hash. - - name: blake2b_512 - level: extended - type: keyword - ignore_above: 1024 - description: BLAKE2b-512 hash. - name: md5 level: extended type: keyword @@ -1070,61 +995,16 @@ type: keyword ignore_above: 1024 description: SHA1 hash. - - name: sha224 - level: extended - type: keyword - ignore_above: 1024 - description: SHA224 hash. - name: sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - - name: sha384 - level: extended - type: keyword - ignore_above: 1024 - description: SHA384 hash. - - name: sha3_224 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_224 hash. - - name: sha3_256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_256 hash. - - name: sha3_384 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_384 hash. - - name: sha3_512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_512 hash. - name: sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - - name: sha512_224 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512/224 hash. - - name: sha512_256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512/256 hash. - - name: xxh64 - level: extended - type: keyword - ignore_above: 1024 - description: XX64 hash. - name: host title: Host group: 2 @@ -1756,21 +1636,6 @@ ignore_above: 1024 description: Absolute path to the process executable. example: /usr/bin/ssh - - name: hash.blake2b_256 - level: extended - type: keyword - ignore_above: 1024 - description: BLAKE2b-256 hash. - - name: hash.blake2b_384 - level: extended - type: keyword - ignore_above: 1024 - description: BLAKE2b-384 hash. - - name: hash.blake2b_512 - level: extended - type: keyword - ignore_above: 1024 - description: BLAKE2b-512 hash. - name: hash.md5 level: extended type: keyword @@ -1781,61 +1646,16 @@ type: keyword ignore_above: 1024 description: SHA1 hash. - - name: hash.sha224 - level: extended - type: keyword - ignore_above: 1024 - description: SHA224 hash. - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - - name: hash.sha384 - level: extended - type: keyword - ignore_above: 1024 - description: SHA384 hash. - - name: hash.sha3_224 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_224 hash. - - name: hash.sha3_256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_256 hash. - - name: hash.sha3_384 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_384 hash. - - name: hash.sha3_512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA3_512 hash. - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - - name: hash.sha512_224 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512/224 hash. - - name: hash.sha512_256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512/256 hash. - - name: hash.xxh64 - level: extended - type: keyword - ignore_above: 1024 - description: XX64 hash. - name: name level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 8417b68d4d..d3d323dc11 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -98,22 +98,10 @@ file.directory,keyword,extended,/home/alice,1.1.0-dev file.extension,keyword,extended,png,1.1.0-dev file.gid,keyword,extended,1001,1.1.0-dev file.group,keyword,extended,alice,1.1.0-dev -file.hash.blake2b_256,keyword,extended,,1.1.0-dev -file.hash.blake2b_384,keyword,extended,,1.1.0-dev -file.hash.blake2b_512,keyword,extended,,1.1.0-dev file.hash.md5,keyword,extended,,1.1.0-dev file.hash.sha1,keyword,extended,,1.1.0-dev -file.hash.sha224,keyword,extended,,1.1.0-dev file.hash.sha256,keyword,extended,,1.1.0-dev -file.hash.sha384,keyword,extended,,1.1.0-dev -file.hash.sha3_224,keyword,extended,,1.1.0-dev -file.hash.sha3_256,keyword,extended,,1.1.0-dev -file.hash.sha3_384,keyword,extended,,1.1.0-dev -file.hash.sha3_512,keyword,extended,,1.1.0-dev file.hash.sha512,keyword,extended,,1.1.0-dev -file.hash.sha512_224,keyword,extended,,1.1.0-dev -file.hash.sha512_256,keyword,extended,,1.1.0-dev -file.hash.xxh64,keyword,extended,,1.1.0-dev file.inode,keyword,extended,256383,1.1.0-dev file.mode,keyword,extended,0640,1.1.0-dev file.mtime,date,extended,,1.1.0-dev @@ -134,22 +122,10 @@ geo.region_iso_code,keyword,core,CA-QC,1.1.0-dev geo.region_name,keyword,core,Quebec,1.1.0-dev group.id,keyword,extended,,1.1.0-dev group.name,keyword,extended,,1.1.0-dev -hash.blake2b_256,keyword,extended,,1.1.0-dev -hash.blake2b_384,keyword,extended,,1.1.0-dev -hash.blake2b_512,keyword,extended,,1.1.0-dev hash.md5,keyword,extended,,1.1.0-dev hash.sha1,keyword,extended,,1.1.0-dev -hash.sha224,keyword,extended,,1.1.0-dev hash.sha256,keyword,extended,,1.1.0-dev -hash.sha384,keyword,extended,,1.1.0-dev -hash.sha3_224,keyword,extended,,1.1.0-dev -hash.sha3_256,keyword,extended,,1.1.0-dev -hash.sha3_384,keyword,extended,,1.1.0-dev -hash.sha3_512,keyword,extended,,1.1.0-dev hash.sha512,keyword,extended,,1.1.0-dev -hash.sha512_224,keyword,extended,,1.1.0-dev -hash.sha512_256,keyword,extended,,1.1.0-dev -hash.xxh64,keyword,extended,,1.1.0-dev host.architecture,keyword,core,x86_64,1.1.0-dev host.geo.city_name,keyword,core,Montreal,1.1.0-dev host.geo.continent_name,keyword,core,North America,1.1.0-dev @@ -232,22 +208,10 @@ os.platform,keyword,extended,darwin,1.1.0-dev os.version,keyword,extended,10.14.1,1.1.0-dev process.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",1.1.0-dev process.executable,keyword,extended,/usr/bin/ssh,1.1.0-dev -process.hash.blake2b_256,keyword,extended,,1.1.0-dev -process.hash.blake2b_384,keyword,extended,,1.1.0-dev -process.hash.blake2b_512,keyword,extended,,1.1.0-dev process.hash.md5,keyword,extended,,1.1.0-dev process.hash.sha1,keyword,extended,,1.1.0-dev -process.hash.sha224,keyword,extended,,1.1.0-dev process.hash.sha256,keyword,extended,,1.1.0-dev -process.hash.sha384,keyword,extended,,1.1.0-dev -process.hash.sha3_224,keyword,extended,,1.1.0-dev -process.hash.sha3_256,keyword,extended,,1.1.0-dev -process.hash.sha3_384,keyword,extended,,1.1.0-dev -process.hash.sha3_512,keyword,extended,,1.1.0-dev process.hash.sha512,keyword,extended,,1.1.0-dev -process.hash.sha512_224,keyword,extended,,1.1.0-dev -process.hash.sha512_256,keyword,extended,,1.1.0-dev -process.hash.xxh64,keyword,extended,,1.1.0-dev process.name,keyword,extended,ssh,1.1.0-dev process.pgid,long,extended,,1.1.0-dev process.pid,long,core,,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index c69b7d503c..f702b61ef7 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1090,43 +1090,13 @@ file.group: order: 11 short: Primary group name of the file. type: keyword -file.hash.blake2b_256: - description: BLAKE2b-256 hash. - flat_name: file.hash.blake2b_256 - ignore_above: 1024 - level: extended - name: blake2b_256 - order: 0 - original_fieldset: hash - short: BLAKE2b-256 hash. - type: keyword -file.hash.blake2b_384: - description: BLAKE2b-384 hash. - flat_name: file.hash.blake2b_384 - ignore_above: 1024 - level: extended - name: blake2b_384 - order: 1 - original_fieldset: hash - short: BLAKE2b-384 hash. - type: keyword -file.hash.blake2b_512: - description: BLAKE2b-512 hash. - flat_name: file.hash.blake2b_512 - ignore_above: 1024 - level: extended - name: blake2b_512 - order: 2 - original_fieldset: hash - short: BLAKE2b-512 hash. - type: keyword file.hash.md5: description: MD5 hash. flat_name: file.hash.md5 ignore_above: 1024 level: extended name: md5 - order: 3 + order: 0 original_fieldset: hash short: MD5 hash. type: keyword @@ -1136,120 +1106,30 @@ file.hash.sha1: ignore_above: 1024 level: extended name: sha1 - order: 4 + order: 1 original_fieldset: hash short: SHA1 hash. type: keyword -file.hash.sha224: - description: SHA224 hash. - flat_name: file.hash.sha224 - ignore_above: 1024 - level: extended - name: sha224 - order: 5 - original_fieldset: hash - short: SHA224 hash. - type: keyword file.hash.sha256: description: SHA256 hash. flat_name: file.hash.sha256 ignore_above: 1024 level: extended name: sha256 - order: 6 + order: 2 original_fieldset: hash short: SHA256 hash. type: keyword -file.hash.sha384: - description: SHA384 hash. - flat_name: file.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - order: 7 - original_fieldset: hash - short: SHA384 hash. - type: keyword -file.hash.sha3_224: - description: SHA3_224 hash. - flat_name: file.hash.sha3_224 - ignore_above: 1024 - level: extended - name: sha3_224 - order: 8 - original_fieldset: hash - short: SHA3_224 hash. - type: keyword -file.hash.sha3_256: - description: SHA3_256 hash. - flat_name: file.hash.sha3_256 - ignore_above: 1024 - level: extended - name: sha3_256 - order: 9 - original_fieldset: hash - short: SHA3_256 hash. - type: keyword -file.hash.sha3_384: - description: SHA3_384 hash. - flat_name: file.hash.sha3_384 - ignore_above: 1024 - level: extended - name: sha3_384 - order: 10 - original_fieldset: hash - short: SHA3_384 hash. - type: keyword -file.hash.sha3_512: - description: SHA3_512 hash. - flat_name: file.hash.sha3_512 - ignore_above: 1024 - level: extended - name: sha3_512 - order: 11 - original_fieldset: hash - short: SHA3_512 hash. - type: keyword file.hash.sha512: description: SHA512 hash. flat_name: file.hash.sha512 ignore_above: 1024 level: extended name: sha512 - order: 12 + order: 3 original_fieldset: hash short: SHA512 hash. type: keyword -file.hash.sha512_224: - description: SHA512/224 hash. - flat_name: file.hash.sha512_224 - ignore_above: 1024 - level: extended - name: sha512_224 - order: 13 - original_fieldset: hash - short: SHA512/224 hash. - type: keyword -file.hash.sha512_256: - description: SHA512/256 hash. - flat_name: file.hash.sha512_256 - ignore_above: 1024 - level: extended - name: sha512_256 - order: 14 - original_fieldset: hash - short: SHA512/256 hash. - type: keyword -file.hash.xxh64: - description: XX64 hash. - flat_name: file.hash.xxh64 - ignore_above: 1024 - level: extended - name: xxh64 - order: 15 - original_fieldset: hash - short: XX64 hash. - type: keyword file.inode: description: Inode representing the file in the filesystem. example: '256383' @@ -1451,40 +1331,13 @@ group.name: order: 1 short: Name of the group. type: keyword -hash.blake2b_256: - description: BLAKE2b-256 hash. - flat_name: hash.blake2b_256 - ignore_above: 1024 - level: extended - name: blake2b_256 - order: 0 - short: BLAKE2b-256 hash. - type: keyword -hash.blake2b_384: - description: BLAKE2b-384 hash. - flat_name: hash.blake2b_384 - ignore_above: 1024 - level: extended - name: blake2b_384 - order: 1 - short: BLAKE2b-384 hash. - type: keyword -hash.blake2b_512: - description: BLAKE2b-512 hash. - flat_name: hash.blake2b_512 - ignore_above: 1024 - level: extended - name: blake2b_512 - order: 2 - short: BLAKE2b-512 hash. - type: keyword hash.md5: description: MD5 hash. flat_name: hash.md5 ignore_above: 1024 level: extended name: md5 - order: 3 + order: 0 short: MD5 hash. type: keyword hash.sha1: @@ -1493,108 +1346,27 @@ hash.sha1: ignore_above: 1024 level: extended name: sha1 - order: 4 + order: 1 short: SHA1 hash. type: keyword -hash.sha224: - description: SHA224 hash. - flat_name: hash.sha224 - ignore_above: 1024 - level: extended - name: sha224 - order: 5 - short: SHA224 hash. - type: keyword hash.sha256: description: SHA256 hash. flat_name: hash.sha256 ignore_above: 1024 level: extended name: sha256 - order: 6 + order: 2 short: SHA256 hash. type: keyword -hash.sha384: - description: SHA384 hash. - flat_name: hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - order: 7 - short: SHA384 hash. - type: keyword -hash.sha3_224: - description: SHA3_224 hash. - flat_name: hash.sha3_224 - ignore_above: 1024 - level: extended - name: sha3_224 - order: 8 - short: SHA3_224 hash. - type: keyword -hash.sha3_256: - description: SHA3_256 hash. - flat_name: hash.sha3_256 - ignore_above: 1024 - level: extended - name: sha3_256 - order: 9 - short: SHA3_256 hash. - type: keyword -hash.sha3_384: - description: SHA3_384 hash. - flat_name: hash.sha3_384 - ignore_above: 1024 - level: extended - name: sha3_384 - order: 10 - short: SHA3_384 hash. - type: keyword -hash.sha3_512: - description: SHA3_512 hash. - flat_name: hash.sha3_512 - ignore_above: 1024 - level: extended - name: sha3_512 - order: 11 - short: SHA3_512 hash. - type: keyword hash.sha512: description: SHA512 hash. flat_name: hash.sha512 ignore_above: 1024 level: extended name: sha512 - order: 12 + order: 3 short: SHA512 hash. type: keyword -hash.sha512_224: - description: SHA512/224 hash. - flat_name: hash.sha512_224 - ignore_above: 1024 - level: extended - name: sha512_224 - order: 13 - short: SHA512/224 hash. - type: keyword -hash.sha512_256: - description: SHA512/256 hash. - flat_name: hash.sha512_256 - ignore_above: 1024 - level: extended - name: sha512_256 - order: 14 - short: SHA512/256 hash. - type: keyword -hash.xxh64: - description: XX64 hash. - flat_name: hash.xxh64 - ignore_above: 1024 - level: extended - name: xxh64 - order: 15 - short: XX64 hash. - type: keyword host.architecture: description: Operating system architecture. example: x86_64 @@ -2544,43 +2316,13 @@ process.executable: order: 5 short: Absolute path to the process executable. type: keyword -process.hash.blake2b_256: - description: BLAKE2b-256 hash. - flat_name: process.hash.blake2b_256 - ignore_above: 1024 - level: extended - name: blake2b_256 - order: 0 - original_fieldset: hash - short: BLAKE2b-256 hash. - type: keyword -process.hash.blake2b_384: - description: BLAKE2b-384 hash. - flat_name: process.hash.blake2b_384 - ignore_above: 1024 - level: extended - name: blake2b_384 - order: 1 - original_fieldset: hash - short: BLAKE2b-384 hash. - type: keyword -process.hash.blake2b_512: - description: BLAKE2b-512 hash. - flat_name: process.hash.blake2b_512 - ignore_above: 1024 - level: extended - name: blake2b_512 - order: 2 - original_fieldset: hash - short: BLAKE2b-512 hash. - type: keyword process.hash.md5: description: MD5 hash. flat_name: process.hash.md5 ignore_above: 1024 level: extended name: md5 - order: 3 + order: 0 original_fieldset: hash short: MD5 hash. type: keyword @@ -2590,120 +2332,30 @@ process.hash.sha1: ignore_above: 1024 level: extended name: sha1 - order: 4 + order: 1 original_fieldset: hash short: SHA1 hash. type: keyword -process.hash.sha224: - description: SHA224 hash. - flat_name: process.hash.sha224 - ignore_above: 1024 - level: extended - name: sha224 - order: 5 - original_fieldset: hash - short: SHA224 hash. - type: keyword process.hash.sha256: description: SHA256 hash. flat_name: process.hash.sha256 ignore_above: 1024 level: extended name: sha256 - order: 6 + order: 2 original_fieldset: hash short: SHA256 hash. type: keyword -process.hash.sha384: - description: SHA384 hash. - flat_name: process.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - order: 7 - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.hash.sha3_224: - description: SHA3_224 hash. - flat_name: process.hash.sha3_224 - ignore_above: 1024 - level: extended - name: sha3_224 - order: 8 - original_fieldset: hash - short: SHA3_224 hash. - type: keyword -process.hash.sha3_256: - description: SHA3_256 hash. - flat_name: process.hash.sha3_256 - ignore_above: 1024 - level: extended - name: sha3_256 - order: 9 - original_fieldset: hash - short: SHA3_256 hash. - type: keyword -process.hash.sha3_384: - description: SHA3_384 hash. - flat_name: process.hash.sha3_384 - ignore_above: 1024 - level: extended - name: sha3_384 - order: 10 - original_fieldset: hash - short: SHA3_384 hash. - type: keyword -process.hash.sha3_512: - description: SHA3_512 hash. - flat_name: process.hash.sha3_512 - ignore_above: 1024 - level: extended - name: sha3_512 - order: 11 - original_fieldset: hash - short: SHA3_512 hash. - type: keyword process.hash.sha512: description: SHA512 hash. flat_name: process.hash.sha512 ignore_above: 1024 level: extended name: sha512 - order: 12 + order: 3 original_fieldset: hash short: SHA512 hash. type: keyword -process.hash.sha512_224: - description: SHA512/224 hash. - flat_name: process.hash.sha512_224 - ignore_above: 1024 - level: extended - name: sha512_224 - order: 13 - original_fieldset: hash - short: SHA512/224 hash. - type: keyword -process.hash.sha512_256: - description: SHA512/256 hash. - flat_name: process.hash.sha512_256 - ignore_above: 1024 - level: extended - name: sha512_256 - order: 14 - original_fieldset: hash - short: SHA512/256 hash. - type: keyword -process.hash.xxh64: - description: XX64 hash. - flat_name: process.hash.xxh64 - ignore_above: 1024 - level: extended - name: xxh64 - order: 15 - original_fieldset: hash - short: XX64 hash. - type: keyword process.name: description: 'Process name. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a60c5944c5..ae06d57ef9 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1281,43 +1281,13 @@ file: order: 11 short: Primary group name of the file. type: keyword - hash.blake2b_256: - description: BLAKE2b-256 hash. - flat_name: file.hash.blake2b_256 - ignore_above: 1024 - level: extended - name: blake2b_256 - order: 0 - original_fieldset: hash - short: BLAKE2b-256 hash. - type: keyword - hash.blake2b_384: - description: BLAKE2b-384 hash. - flat_name: file.hash.blake2b_384 - ignore_above: 1024 - level: extended - name: blake2b_384 - order: 1 - original_fieldset: hash - short: BLAKE2b-384 hash. - type: keyword - hash.blake2b_512: - description: BLAKE2b-512 hash. - flat_name: file.hash.blake2b_512 - ignore_above: 1024 - level: extended - name: blake2b_512 - order: 2 - original_fieldset: hash - short: BLAKE2b-512 hash. - type: keyword hash.md5: description: MD5 hash. flat_name: file.hash.md5 ignore_above: 1024 level: extended name: md5 - order: 3 + order: 0 original_fieldset: hash short: MD5 hash. type: keyword @@ -1327,120 +1297,30 @@ file: ignore_above: 1024 level: extended name: sha1 - order: 4 + order: 1 original_fieldset: hash short: SHA1 hash. type: keyword - hash.sha224: - description: SHA224 hash. - flat_name: file.hash.sha224 - ignore_above: 1024 - level: extended - name: sha224 - order: 5 - original_fieldset: hash - short: SHA224 hash. - type: keyword hash.sha256: description: SHA256 hash. flat_name: file.hash.sha256 ignore_above: 1024 level: extended name: sha256 - order: 6 + order: 2 original_fieldset: hash short: SHA256 hash. type: keyword - hash.sha384: - description: SHA384 hash. - flat_name: file.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - order: 7 - original_fieldset: hash - short: SHA384 hash. - type: keyword - hash.sha3_224: - description: SHA3_224 hash. - flat_name: file.hash.sha3_224 - ignore_above: 1024 - level: extended - name: sha3_224 - order: 8 - original_fieldset: hash - short: SHA3_224 hash. - type: keyword - hash.sha3_256: - description: SHA3_256 hash. - flat_name: file.hash.sha3_256 - ignore_above: 1024 - level: extended - name: sha3_256 - order: 9 - original_fieldset: hash - short: SHA3_256 hash. - type: keyword - hash.sha3_384: - description: SHA3_384 hash. - flat_name: file.hash.sha3_384 - ignore_above: 1024 - level: extended - name: sha3_384 - order: 10 - original_fieldset: hash - short: SHA3_384 hash. - type: keyword - hash.sha3_512: - description: SHA3_512 hash. - flat_name: file.hash.sha3_512 - ignore_above: 1024 - level: extended - name: sha3_512 - order: 11 - original_fieldset: hash - short: SHA3_512 hash. - type: keyword hash.sha512: description: SHA512 hash. flat_name: file.hash.sha512 ignore_above: 1024 level: extended name: sha512 - order: 12 + order: 3 original_fieldset: hash short: SHA512 hash. type: keyword - hash.sha512_224: - description: SHA512/224 hash. - flat_name: file.hash.sha512_224 - ignore_above: 1024 - level: extended - name: sha512_224 - order: 13 - original_fieldset: hash - short: SHA512/224 hash. - type: keyword - hash.sha512_256: - description: SHA512/256 hash. - flat_name: file.hash.sha512_256 - ignore_above: 1024 - level: extended - name: sha512_256 - order: 14 - original_fieldset: hash - short: SHA512/256 hash. - type: keyword - hash.xxh64: - description: XX64 hash. - flat_name: file.hash.xxh64 - ignore_above: 1024 - level: extended - name: xxh64 - order: 15 - original_fieldset: hash - short: XX64 hash. - type: keyword inode: description: Inode representing the file in the filesystem. example: '256383' @@ -1693,40 +1573,13 @@ hash: other hashes by lowercasing the hash algorithm and using underscore separators as appropriate (snake case).' fields: - blake2b_256: - description: BLAKE2b-256 hash. - flat_name: hash.blake2b_256 - ignore_above: 1024 - level: extended - name: blake2b_256 - order: 0 - short: BLAKE2b-256 hash. - type: keyword - blake2b_384: - description: BLAKE2b-384 hash. - flat_name: hash.blake2b_384 - ignore_above: 1024 - level: extended - name: blake2b_384 - order: 1 - short: BLAKE2b-384 hash. - type: keyword - blake2b_512: - description: BLAKE2b-512 hash. - flat_name: hash.blake2b_512 - ignore_above: 1024 - level: extended - name: blake2b_512 - order: 2 - short: BLAKE2b-512 hash. - type: keyword md5: description: MD5 hash. flat_name: hash.md5 ignore_above: 1024 level: extended name: md5 - order: 3 + order: 0 short: MD5 hash. type: keyword sha1: @@ -1735,108 +1588,27 @@ hash: ignore_above: 1024 level: extended name: sha1 - order: 4 + order: 1 short: SHA1 hash. type: keyword - sha224: - description: SHA224 hash. - flat_name: hash.sha224 - ignore_above: 1024 - level: extended - name: sha224 - order: 5 - short: SHA224 hash. - type: keyword sha256: description: SHA256 hash. flat_name: hash.sha256 ignore_above: 1024 level: extended name: sha256 - order: 6 + order: 2 short: SHA256 hash. type: keyword - sha384: - description: SHA384 hash. - flat_name: hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - order: 7 - short: SHA384 hash. - type: keyword - sha3_224: - description: SHA3_224 hash. - flat_name: hash.sha3_224 - ignore_above: 1024 - level: extended - name: sha3_224 - order: 8 - short: SHA3_224 hash. - type: keyword - sha3_256: - description: SHA3_256 hash. - flat_name: hash.sha3_256 - ignore_above: 1024 - level: extended - name: sha3_256 - order: 9 - short: SHA3_256 hash. - type: keyword - sha3_384: - description: SHA3_384 hash. - flat_name: hash.sha3_384 - ignore_above: 1024 - level: extended - name: sha3_384 - order: 10 - short: SHA3_384 hash. - type: keyword - sha3_512: - description: SHA3_512 hash. - flat_name: hash.sha3_512 - ignore_above: 1024 - level: extended - name: sha3_512 - order: 11 - short: SHA3_512 hash. - type: keyword sha512: description: SHA512 hash. flat_name: hash.sha512 ignore_above: 1024 level: extended name: sha512 - order: 12 + order: 3 short: SHA512 hash. type: keyword - sha512_224: - description: SHA512/224 hash. - flat_name: hash.sha512_224 - ignore_above: 1024 - level: extended - name: sha512_224 - order: 13 - short: SHA512/224 hash. - type: keyword - sha512_256: - description: SHA512/256 hash. - flat_name: hash.sha512_256 - ignore_above: 1024 - level: extended - name: sha512_256 - order: 14 - short: SHA512/256 hash. - type: keyword - xxh64: - description: XX64 hash. - flat_name: hash.xxh64 - ignore_above: 1024 - level: extended - name: xxh64 - order: 15 - short: XX64 hash. - type: keyword group: 2 name: hash prefix: hash. @@ -2876,43 +2648,13 @@ process: order: 5 short: Absolute path to the process executable. type: keyword - hash.blake2b_256: - description: BLAKE2b-256 hash. - flat_name: process.hash.blake2b_256 - ignore_above: 1024 - level: extended - name: blake2b_256 - order: 0 - original_fieldset: hash - short: BLAKE2b-256 hash. - type: keyword - hash.blake2b_384: - description: BLAKE2b-384 hash. - flat_name: process.hash.blake2b_384 - ignore_above: 1024 - level: extended - name: blake2b_384 - order: 1 - original_fieldset: hash - short: BLAKE2b-384 hash. - type: keyword - hash.blake2b_512: - description: BLAKE2b-512 hash. - flat_name: process.hash.blake2b_512 - ignore_above: 1024 - level: extended - name: blake2b_512 - order: 2 - original_fieldset: hash - short: BLAKE2b-512 hash. - type: keyword hash.md5: description: MD5 hash. flat_name: process.hash.md5 ignore_above: 1024 level: extended name: md5 - order: 3 + order: 0 original_fieldset: hash short: MD5 hash. type: keyword @@ -2922,120 +2664,30 @@ process: ignore_above: 1024 level: extended name: sha1 - order: 4 + order: 1 original_fieldset: hash short: SHA1 hash. type: keyword - hash.sha224: - description: SHA224 hash. - flat_name: process.hash.sha224 - ignore_above: 1024 - level: extended - name: sha224 - order: 5 - original_fieldset: hash - short: SHA224 hash. - type: keyword hash.sha256: description: SHA256 hash. flat_name: process.hash.sha256 ignore_above: 1024 level: extended name: sha256 - order: 6 + order: 2 original_fieldset: hash short: SHA256 hash. type: keyword - hash.sha384: - description: SHA384 hash. - flat_name: process.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - order: 7 - original_fieldset: hash - short: SHA384 hash. - type: keyword - hash.sha3_224: - description: SHA3_224 hash. - flat_name: process.hash.sha3_224 - ignore_above: 1024 - level: extended - name: sha3_224 - order: 8 - original_fieldset: hash - short: SHA3_224 hash. - type: keyword - hash.sha3_256: - description: SHA3_256 hash. - flat_name: process.hash.sha3_256 - ignore_above: 1024 - level: extended - name: sha3_256 - order: 9 - original_fieldset: hash - short: SHA3_256 hash. - type: keyword - hash.sha3_384: - description: SHA3_384 hash. - flat_name: process.hash.sha3_384 - ignore_above: 1024 - level: extended - name: sha3_384 - order: 10 - original_fieldset: hash - short: SHA3_384 hash. - type: keyword - hash.sha3_512: - description: SHA3_512 hash. - flat_name: process.hash.sha3_512 - ignore_above: 1024 - level: extended - name: sha3_512 - order: 11 - original_fieldset: hash - short: SHA3_512 hash. - type: keyword hash.sha512: description: SHA512 hash. flat_name: process.hash.sha512 ignore_above: 1024 level: extended name: sha512 - order: 12 + order: 3 original_fieldset: hash short: SHA512 hash. type: keyword - hash.sha512_224: - description: SHA512/224 hash. - flat_name: process.hash.sha512_224 - ignore_above: 1024 - level: extended - name: sha512_224 - order: 13 - original_fieldset: hash - short: SHA512/224 hash. - type: keyword - hash.sha512_256: - description: SHA512/256 hash. - flat_name: process.hash.sha512_256 - ignore_above: 1024 - level: extended - name: sha512_256 - order: 14 - original_fieldset: hash - short: SHA512/256 hash. - type: keyword - hash.xxh64: - description: XX64 hash. - flat_name: process.hash.xxh64 - ignore_above: 1024 - level: extended - name: xxh64 - order: 15 - original_fieldset: hash - short: XX64 hash. - type: keyword name: description: 'Process name. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 01776ab183..198eda06f2 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -459,18 +459,6 @@ }, "hash": { "properties": { - "blake2b_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_512": { - "ignore_above": 1024, - "type": "keyword" - }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -479,49 +467,13 @@ "ignore_above": 1024, "type": "keyword" }, - "sha224": { - "ignore_above": 1024, - "type": "keyword" - }, "sha256": { "ignore_above": 1024, "type": "keyword" }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_512": { - "ignore_above": 1024, - "type": "keyword" - }, "sha512": { "ignore_above": 1024, "type": "keyword" - }, - "sha512_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "xxh64": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -614,18 +566,6 @@ }, "hash": { "properties": { - "blake2b_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_512": { - "ignore_above": 1024, - "type": "keyword" - }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -634,49 +574,13 @@ "ignore_above": 1024, "type": "keyword" }, - "sha224": { - "ignore_above": 1024, - "type": "keyword" - }, "sha256": { "ignore_above": 1024, "type": "keyword" }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_512": { - "ignore_above": 1024, - "type": "keyword" - }, "sha512": { "ignore_above": 1024, "type": "keyword" - }, - "sha512_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "xxh64": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -1077,18 +981,6 @@ }, "hash": { "properties": { - "blake2b_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_512": { - "ignore_above": 1024, - "type": "keyword" - }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1097,49 +989,13 @@ "ignore_above": 1024, "type": "keyword" }, - "sha224": { - "ignore_above": 1024, - "type": "keyword" - }, "sha256": { "ignore_above": 1024, "type": "keyword" }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_512": { - "ignore_above": 1024, - "type": "keyword" - }, "sha512": { "ignore_above": 1024, "type": "keyword" - }, - "sha512_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "xxh64": { - "ignore_above": 1024, - "type": "keyword" } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 622673a6fc..a1c0da18ee 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -458,18 +458,6 @@ }, "hash": { "properties": { - "blake2b_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_512": { - "ignore_above": 1024, - "type": "keyword" - }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -478,49 +466,13 @@ "ignore_above": 1024, "type": "keyword" }, - "sha224": { - "ignore_above": 1024, - "type": "keyword" - }, "sha256": { "ignore_above": 1024, "type": "keyword" }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_512": { - "ignore_above": 1024, - "type": "keyword" - }, "sha512": { "ignore_above": 1024, "type": "keyword" - }, - "sha512_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "xxh64": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -613,18 +565,6 @@ }, "hash": { "properties": { - "blake2b_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_512": { - "ignore_above": 1024, - "type": "keyword" - }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -633,49 +573,13 @@ "ignore_above": 1024, "type": "keyword" }, - "sha224": { - "ignore_above": 1024, - "type": "keyword" - }, "sha256": { "ignore_above": 1024, "type": "keyword" }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_512": { - "ignore_above": 1024, - "type": "keyword" - }, "sha512": { "ignore_above": 1024, "type": "keyword" - }, - "sha512_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "xxh64": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -1076,18 +980,6 @@ }, "hash": { "properties": { - "blake2b_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_512": { - "ignore_above": 1024, - "type": "keyword" - }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1096,49 +988,13 @@ "ignore_above": 1024, "type": "keyword" }, - "sha224": { - "ignore_above": 1024, - "type": "keyword" - }, "sha256": { "ignore_above": 1024, "type": "keyword" }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_512": { - "ignore_above": 1024, - "type": "keyword" - }, "sha512": { "ignore_above": 1024, "type": "keyword" - }, - "sha512_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "xxh64": { - "ignore_above": 1024, - "type": "keyword" } } }, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index d86e559d09..240fbcec6a 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -404,18 +404,6 @@ }, "hash": { "properties": { - "blake2b_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_512": { - "ignore_above": 1024, - "type": "keyword" - }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -424,49 +412,13 @@ "ignore_above": 1024, "type": "keyword" }, - "sha224": { - "ignore_above": 1024, - "type": "keyword" - }, "sha256": { "ignore_above": 1024, "type": "keyword" }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_512": { - "ignore_above": 1024, - "type": "keyword" - }, "sha512": { "ignore_above": 1024, "type": "keyword" - }, - "sha512_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "xxh64": { - "ignore_above": 1024, - "type": "keyword" } } }, diff --git a/schemas/hash.yml b/schemas/hash.yml index 2bdac37ae4..3498e5ab75 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -18,21 +18,6 @@ fields: - - name: blake2b_256 - level: extended - type: keyword - description: BLAKE2b-256 hash. - - - name: blake2b_384 - level: extended - type: keyword - description: BLAKE2b-384 hash. - - - name: blake2b_512 - level: extended - type: keyword - description: BLAKE2b-512 hash. - - name: md5 level: extended type: keyword @@ -43,57 +28,12 @@ type: keyword description: SHA1 hash. - - name: sha224 - level: extended - type: keyword - description: SHA224 hash. - - name: sha256 level: extended type: keyword description: SHA256 hash. - - name: sha384 - level: extended - type: keyword - description: SHA384 hash. - - - name: sha3_224 - level: extended - type: keyword - description: SHA3_224 hash. - - - name: sha3_256 - level: extended - type: keyword - description: SHA3_256 hash. - - - name: sha3_384 - level: extended - type: keyword - description: SHA3_384 hash. - - - name: sha3_512 - level: extended - type: keyword - description: SHA3_512 hash. - - name: sha512 level: extended type: keyword description: SHA512 hash. - - - name: sha512_224 - level: extended - type: keyword - description: SHA512/224 hash. - - - name: sha512_256 - level: extended - type: keyword - description: SHA512/256 hash. - - - name: xxh64 - level: extended - type: keyword - description: XX64 hash. diff --git a/use-cases/auditbeat.md b/use-cases/auditbeat.md index 779f6a9f76..dff825a597 100644 --- a/use-cases/auditbeat.md +++ b/use-cases/auditbeat.md @@ -23,22 +23,22 @@ ECS usage in Auditbeat. | [file.mtime](../README.md#file.mtime) | The last modified time of the file (time when content was modified). | extended | date | | | [file.ctime](../README.md#file.ctime) | The last change time of the file (time when metadata was changed). | extended | date | | | *hash.** | *Hash fields used in Auditbeat.
The hash field contains cryptographic hashes of data associated with the event (such as a file). The keys are names of cryptographic algorithms. The values are encoded as hexidecimal (lower-case).
All fields in user can have one or multiple entries.
* | | | | -| [hash.blake2b_256](../README.md#hash.blake2b_256) | BLAKE2b-256 hash of the file. | extended | keyword | | -| [hash.blake2b_384](../README.md#hash.blake2b_384) | BLAKE2b-384 hash of the file. | extended | keyword | | -| [hash.blake2b_512](../README.md#hash.blake2b_512) | BLAKE2b-512 hash of the file. | extended | keyword | | +| *hash.blake2b_256* | *BLAKE2b-256 hash of the file.* | (use case) | keyword | | +| *hash.blake2b_384* | *BLAKE2b-384 hash of the file.* | (use case) | keyword | | +| *hash.blake2b_512* | *BLAKE2b-512 hash of the file.* | (use case) | keyword | | | [hash.md5](../README.md#hash.md5) | MD5 hash. | extended | keyword | | | [hash.sha1](../README.md#hash.sha1) | SHA-1 hash. | extended | keyword | | -| [hash.sha224](../README.md#hash.sha224) | SHA-224 hash (SHA-2 family). | extended | keyword | | +| *hash.sha224* | *SHA-224 hash (SHA-2 family).* | (use case) | keyword | | | [hash.sha256](../README.md#hash.sha256) | SHA-256 hash (SHA-2 family). | extended | keyword | | -| [hash.sha384](../README.md#hash.sha384) | SHA-384 hash (SHA-2 family). | extended | keyword | | +| *hash.sha384* | *SHA-384 hash (SHA-2 family).* | (use case) | keyword | | | [hash.sha512](../README.md#hash.sha512) | SHA-512 hash (SHA-2 family). | extended | keyword | | -| [hash.sha512_224](../README.md#hash.sha512_224) | SHA-512/224 hash (SHA-2 family). | extended | keyword | | -| [hash.sha512_256](../README.md#hash.sha512_256) | SHA-512/256 hash (SHA-2 family). | extended | keyword | | -| [hash.sha3_224](../README.md#hash.sha3_224) | SHA3-224 hash (SHA-3 family). | extended | keyword | | -| [hash.sha3_256](../README.md#hash.sha3_256) | SHA3-256 hash (SHA-3 family). | extended | keyword | | -| [hash.sha3_384](../README.md#hash.sha3_384) | SHA3-384 hash (SHA-3 family). | extended | keyword | | -| [hash.sha3_512](../README.md#hash.sha3_512) | SHA3-512 hash (SHA-3 family). | extended | keyword | | -| [hash.xxh64](../README.md#hash.xxh64) | XX64 hash of the file. | extended | keyword | | +| *hash.sha512_224* | *SHA-512/224 hash (SHA-2 family).* | (use case) | keyword | | +| *hash.sha512_256* | *SHA-512/256 hash (SHA-2 family).* | (use case) | keyword | | +| *hash.sha3_224* | *SHA3-224 hash (SHA-3 family).* | (use case) | keyword | | +| *hash.sha3_256* | *SHA3-256 hash (SHA-3 family).* | (use case) | keyword | | +| *hash.sha3_384* | *SHA3-384 hash (SHA-3 family).* | (use case) | keyword | | +| *hash.sha3_512* | *SHA3-512 hash (SHA-3 family).* | (use case) | keyword | | +| *hash.xxh64* | *XX64 hash of the file.* | (use case) | keyword | | From 6de98fe13b332cdb37b1ca23b9eb18fb794bfef5 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Wed, 22 May 2019 13:40:56 -0700 Subject: [PATCH 4/4] Amend description. --- code/go/ecs/hash.go | 4 ++-- docs/field-details.asciidoc | 2 +- generated/beats/fields.ecs.yml | 4 ++-- generated/ecs/ecs_nested.yml | 4 ++-- schemas/hash.yml | 3 ++- 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/code/go/ecs/hash.go b/code/go/ecs/hash.go index 1cb82c98c1..070b4256cc 100644 --- a/code/go/ecs/hash.go +++ b/code/go/ecs/hash.go @@ -21,8 +21,8 @@ package ecs // The hash fields represent different hash algorithms and their values. // Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields -// for other hashes by lowercasing the hash algorithm and using underscore -// separators as appropriate (snake case). +// for other hashes by lowercasing the hash algorithm name and using underscore +// separators as appropriate (snake case, e.g. sha3_512). type Hash struct { // MD5 hash. Md5 string `ecs:"md5"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 739f308539..a075aa84bb 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1364,7 +1364,7 @@ Note also that the `group` fields may be used directly at the top level. The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm and using underscore separators as appropriate (snake case). +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). ==== Group Field Details diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index c052a689f1..c984ca82d6 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -981,8 +981,8 @@ description: 'The hash fields represent different hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for - other hashes by lowercasing the hash algorithm and using underscore separators - as appropriate (snake case).' + other hashes by lowercasing the hash algorithm name and using underscore separators + as appropriate (snake case, e.g. sha3_512).' type: group fields: - name: md5 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index ae06d57ef9..c0ea72ea23 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1570,8 +1570,8 @@ hash: description: 'The hash fields represent different hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for - other hashes by lowercasing the hash algorithm and using underscore separators - as appropriate (snake case).' + other hashes by lowercasing the hash algorithm name and using underscore separators + as appropriate (snake case, e.g. sha3_512).' fields: md5: description: MD5 hash. diff --git a/schemas/hash.yml b/schemas/hash.yml index 3498e5ab75..cbf2e40ef2 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -8,7 +8,8 @@ The hash fields represent different hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes - by lowercasing the hash algorithm and using underscore separators as appropriate (snake case). + by lowercasing the hash algorithm name and using underscore separators as appropriate + (snake case, e.g. sha3_512). reusable: top_level: false