Add event.reference field

CHANGELOG.next.md

@@ -19,7 +19,7 @@ Thanks, you're awesome :-) -->
 * Fieldset for PE metadata. #731
 * Globally unique identifier `entity_id` for `process` and `process.parent`. (#747)
 
-* Added field event.reference to hold link to additional event info/actions. (#757)
+* Added fields `event.reference` and `event.url` to hold link to additional event info/actions. (#757)
 
 #### Improvements
 

docs/field-details.asciidoc

@@ -1717,13 +1717,13 @@ example: `kernel`
 | event.reference
 | Reference URL linking to additional information about this event.
 
-This URL can link to either a static definition of the general event, or to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+This URL links to a static definition of the this event Alert events, indicated by `event.kind:alert`, are a common use case for this field.
 
 type: keyword
 
 
 
-example: `https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe`
+example: `https://system.vendor.com/event/#0001234`
 
 | extended
 
@@ -1844,6 +1844,21 @@ To learn more about when to use which value, visit the page
 
 // ===============================================================
 
+| event.url
+| URL linking to an external system to continue investigtion of this event.
+
+This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+
+
+example: `https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe`
+
+| extended
+
+// ===============================================================
+
 |=====
 
 [[ecs-file]]

generated/beats/fields.ecs.yml

@@ -1291,11 +1291,9 @@
       ignore_above: 1024
       description: 'Reference URL linking to additional information about this event.
 
-        This URL can link to either a static definition of the general event, or to
-        another system where in-depth investigation of the specific occurence of this
-        event can take place. Alert events, indicated by `event.kind:alert`, are a
-        common use case for this field.'
-      example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
+        This URL links to a static definition of the this event Alert events, indicated
+        by `event.kind:alert`, are a common use case for this field.'
+      example: https://system.vendor.com/event/#0001234
       default_field: false
     - name: risk_score
       level: core
@@ -1361,6 +1359,18 @@
 
         This field is an array. This will allow proper categorization of some events
         that fall in multiple event types.'
+    - name: url
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'URL linking to an external system to continue investigtion of
+        this event.
+
+        This URL links to another system where in-depth investigation of the specific
+        occurence of this event can take place. Alert events, indicated by `event.kind:alert`,
+        are a common use case for this field.'
+      example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
+      default_field: false
   - name: file
     title: File
     group: 2

generated/csv/fields.csv

@@ -151,14 +151,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
 1.5.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest categorization field in the hierarchy.
 1.5.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-1.5.0-dev,true,event,event.reference,keyword,extended,,https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event reference URL
+1.5.0-dev,true,event,event.reference,keyword,extended,,https://system.vendor.com/event/#0001234,Event reference URL
 1.5.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
 1.5.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
 1.5.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
 1.5.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
 1.5.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
 1.5.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
 1.5.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.5.0-dev,true,event,event.url,keyword,extended,,https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
 1.5.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
 1.5.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 1.5.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.

generated/ecs/ecs_flat.yml

@@ -2202,11 +2202,9 @@ event.reference:
   dashed_name: event-reference
   description: 'Reference URL linking to additional information about this event.
 
-    This URL can link to either a static definition of the general event, or to another
-    system where in-depth investigation of the specific occurence of this event can
-    take place. Alert events, indicated by `event.kind:alert`, are a common use case
-    for this field.'
-  example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
+    This URL links to a static definition of the this event Alert events, indicated
+    by `event.kind:alert`, are a common use case for this field.'
+  example: https://system.vendor.com/event/#0001234
   flat_name: event.reference
   ignore_above: 1024
   level: extended
@@ -2392,6 +2390,23 @@ event.type:
   order: 6
   short: Event type. The third categorization field in the hierarchy.
   type: keyword
+event.url:
+  dashed_name: event-url
+  description: 'URL linking to an external system to continue investigtion of this
+    event.
+
+    This URL links to another system where in-depth investigation of the specific
+    occurence of this event can take place. Alert events, indicated by `event.kind:alert`,
+    are a common use case for this field.'
+  example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
+  flat_name: event.url
+  ignore_above: 1024
+  level: extended
+  name: url
+  normalize: []
+  order: 23
+  short: Event investigation URL
+  type: keyword
 file.accessed:
   dashed_name: file-accessed
   description: 'Last time the file was accessed.

generated/ecs/ecs_nested.yml

@@ -2461,11 +2461,9 @@ event:
       dashed_name: event-reference
       description: 'Reference URL linking to additional information about this event.
 
-        This URL can link to either a static definition of the general event, or to
-        another system where in-depth investigation of the specific occurence of this
-        event can take place. Alert events, indicated by `event.kind:alert`, are a
-        common use case for this field.'
-      example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
+        This URL links to a static definition of the this event Alert events, indicated
+        by `event.kind:alert`, are a common use case for this field.'
+      example: https://system.vendor.com/event/#0001234
       flat_name: event.reference
       ignore_above: 1024
       level: extended
@@ -2653,6 +2651,23 @@ event:
       order: 6
       short: Event type. The third categorization field in the hierarchy.
       type: keyword
+    url:
+      dashed_name: event-url
+      description: 'URL linking to an external system to continue investigtion of
+        this event.
+
+        This URL links to another system where in-depth investigation of the specific
+        occurence of this event can take place. Alert events, indicated by `event.kind:alert`,
+        are a common use case for this field.'
+      example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
+      flat_name: event.url
+      ignore_above: 1024
+      level: extended
+      name: url
+      normalize: []
+      order: 23
+      short: Event investigation URL
+      type: keyword
   group: 2
   name: event
   prefix: event.

generated/elasticsearch/6/template.json

@@ -762,6 +762,10 @@
             "type": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "url": {
+              "ignore_above": 1024,
+              "type": "keyword"
             }
           }
         },

generated/elasticsearch/7/template.json

@@ -761,6 +761,10 @@
           "type": {
             "ignore_above": 1024,
             "type": "keyword"
+          },
+          "url": {
+            "ignore_above": 1024,
+            "type": "keyword"
           }
         }
       },

schemas/event.yml

@@ -549,7 +549,19 @@
       description: >
         Reference URL linking to additional information about this event.
 
-        This URL can link to either a static definition of the general event, or to another
+        This URL links to a static definition of the this event
+        Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+      example: https://system.vendor.com/event/#0001234
+
+    - name: url
+      level: extended
+      type: keyword
+      short: Event investigation URL
+      description: >
+        URL linking to an external system to continue investigtion of this event.
+
+        This URL links to another
         system where in-depth investigation of the specific occurence of this event can take place.
         Alert events, indicated by `event.kind:alert`, are a common use case for this field.