diff --git a/Makefile b/Makefile index a40ffa5b9..1c3c51e98 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) # we are intentionally pinning the ECS version here, when ecs releases a new version # we'll discuss whether we need to release a new package and bump the version here -ECS_GIT_REF ?= v8.3.1 +ECS_GIT_REF ?= v8.5.2 # This variable specifies to location of the package-storage repo. It is used for automatically creating a PR # to release a new endpoint package. This can be overridden with the location on your file system using the config.mk diff --git a/package/endpoint/data_stream/alerts/fields/fields.yml b/package/endpoint/data_stream/alerts/fields/fields.yml index 5a7380528..049e9f453 100644 --- a/package/endpoint/data_stream/alerts/fields/fields.yml +++ b/package/endpoint/data_stream/alerts/fields/fields.yml @@ -4226,9 +4226,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version @@ -5480,11 +5478,12 @@ default_field: false - name: env_vars level: extended - type: object - description: 'Environment variables (`env_vars`) set at the time of the event. May be filtered to protect sensitive information. + type: keyword + ignore_above: 1024 + description: 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. - The field should not contain nested objects. All values should use `keyword`.' - example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}' + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' default_field: false - name: executable level: extended @@ -8534,8 +8533,8 @@ level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings. Recommended values are:\n * WHITE\n * GREEN\n * AMBER\n * RED" - example: White + description: Traffic Light Protocol sharing markings. + example: WHITE default_field: false - name: enrichments.indicator.modified_at level: extended @@ -8631,7 +8630,7 @@ level: extended type: keyword ignore_above: 1024 - description: "Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr default_field: false - name: enrichments.indicator.url.domain @@ -8776,7 +8775,7 @@ level: extended type: keyword ignore_above: 1024 - description: List of country (C) codes + description: List of country \(C) codes example: US default_field: false - name: enrichments.indicator.x509.issuer.distinguished_name @@ -8879,7 +8878,7 @@ level: extended type: keyword ignore_above: 1024 - description: List of country (C) code + description: List of country \(C) code example: US default_field: false - name: enrichments.indicator.x509.subject.distinguished_name @@ -9012,7 +9011,7 @@ level: extended type: keyword ignore_above: 1024 - description: "Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.\nExpected values are:\n * Not Specified\n * None\n * Low\n * Medium\n * High" + description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. example: Medium default_field: false - name: indicator.description @@ -9915,7 +9914,7 @@ level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n * WHITE\n * GREEN\n * AMBER\n * RED" + description: Traffic Light Protocol sharing markings. example: WHITE default_field: false - name: indicator.modified_at @@ -10012,7 +10011,7 @@ level: extended type: keyword ignore_above: 1024 - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\nRecommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr default_field: false - name: indicator.url.domain @@ -10157,7 +10156,7 @@ level: extended type: keyword ignore_above: 1024 - description: List of country (C) codes + description: List of country \(C) codes example: US default_field: false - name: indicator.x509.issuer.distinguished_name @@ -10260,7 +10259,7 @@ level: extended type: keyword ignore_above: 1024 - description: List of country (C) code + description: List of country \(C) code example: US default_field: false - name: indicator.x509.subject.distinguished_name @@ -10322,7 +10321,7 @@ level: extended type: keyword ignore_above: 1024 - description: "The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nRecommended Values:\n * AWS\n * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n * SaaS\n * Windows\n\nWhile not required, you can use a MITRE ATT&CK® software platforms." + description: "The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use MITRE ATT&CK® software platform values." example: '[ "Windows" ]' default_field: false - name: software.reference @@ -10336,7 +10335,7 @@ level: extended type: keyword ignore_above: 1024 - description: "The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nRecommended values\n * Malware\n * Tool\n\n While not required, you can use a MITRE ATT&CK® software type." + description: "The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software type." example: Tool default_field: false - name: tactic.id diff --git a/package/endpoint/data_stream/file/fields/fields.yml b/package/endpoint/data_stream/file/fields/fields.yml index 609b51a40..99af4feca 100644 --- a/package/endpoint/data_stream/file/fields/fields.yml +++ b/package/endpoint/data_stream/file/fields/fields.yml @@ -970,9 +970,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version diff --git a/package/endpoint/data_stream/library/fields/fields.yml b/package/endpoint/data_stream/library/fields/fields.yml index 30417c484..eec037b04 100644 --- a/package/endpoint/data_stream/library/fields/fields.yml +++ b/package/endpoint/data_stream/library/fields/fields.yml @@ -963,9 +963,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version diff --git a/package/endpoint/data_stream/metadata/fields/fields.yml b/package/endpoint/data_stream/metadata/fields/fields.yml index 03f1b3d21..771eb3093 100644 --- a/package/endpoint/data_stream/metadata/fields/fields.yml +++ b/package/endpoint/data_stream/metadata/fields/fields.yml @@ -451,9 +451,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version diff --git a/package/endpoint/data_stream/metrics/fields/fields.yml b/package/endpoint/data_stream/metrics/fields/fields.yml index cf2a3b6c5..f03606c78 100644 --- a/package/endpoint/data_stream/metrics/fields/fields.yml +++ b/package/endpoint/data_stream/metrics/fields/fields.yml @@ -977,9 +977,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version diff --git a/package/endpoint/data_stream/network/fields/fields.yml b/package/endpoint/data_stream/network/fields/fields.yml index 550d2345e..57dbf893d 100644 --- a/package/endpoint/data_stream/network/fields/fields.yml +++ b/package/endpoint/data_stream/network/fields/fields.yml @@ -633,9 +633,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version @@ -751,7 +749,13 @@ level: core type: keyword ignore_above: 1024 - description: "Direction of the network traffic.\nRecommended values are:\n * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values \"ingress\" or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that \"external\" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers." + description: 'Direction of the network traffic. + + When mapping events from a host-based monitoring context, populate this field from the host''s point of view, using the values "ingress" or "egress". + + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.' example: inbound - name: iana_number level: extended diff --git a/package/endpoint/data_stream/policy/fields/fields.yml b/package/endpoint/data_stream/policy/fields/fields.yml index e29227ed7..201c5f5be 100644 --- a/package/endpoint/data_stream/policy/fields/fields.yml +++ b/package/endpoint/data_stream/policy/fields/fields.yml @@ -760,9 +760,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version diff --git a/package/endpoint/data_stream/process/fields/fields.yml b/package/endpoint/data_stream/process/fields/fields.yml index f9c9f42ad..e164d6bfa 100644 --- a/package/endpoint/data_stream/process/fields/fields.yml +++ b/package/endpoint/data_stream/process/fields/fields.yml @@ -596,9 +596,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version @@ -1414,11 +1412,12 @@ default_field: false - name: env_vars level: extended - type: object - description: 'Environment variables (`env_vars`) set at the time of the event. May be filtered to protect sensitive information. + type: keyword + ignore_above: 1024 + description: 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. - The field should not contain nested objects. All values should use `keyword`.' - example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}' + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' default_field: false - name: executable level: extended diff --git a/package/endpoint/data_stream/process/sample_event.json b/package/endpoint/data_stream/process/sample_event.json index ea96d04fd..9a1f45eb9 100644 --- a/package/endpoint/data_stream/process/sample_event.json +++ b/package/endpoint/data_stream/process/sample_event.json @@ -159,7 +159,11 @@ "total_bytes_captured": 10, "total_bytes_skipped": 0, "max_bytes_per_process_exceeded": false - } + }, + "env_vars": [ + "NICK=test", + "OTHER=why" + ] }, "message": "Endpoint process event", "@timestamp": "2022-04-04T18:53:08.6578986Z", diff --git a/package/endpoint/data_stream/registry/fields/fields.yml b/package/endpoint/data_stream/registry/fields/fields.yml index 4fb8deb30..a2c5a44c1 100644 --- a/package/endpoint/data_stream/registry/fields/fields.yml +++ b/package/endpoint/data_stream/registry/fields/fields.yml @@ -533,9 +533,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version diff --git a/package/endpoint/data_stream/security/fields/fields.yml b/package/endpoint/data_stream/security/fields/fields.yml index d091799b0..5a7440681 100644 --- a/package/endpoint/data_stream/security/fields/fields.yml +++ b/package/endpoint/data_stream/security/fields/fields.yml @@ -493,9 +493,7 @@ ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md index 843b31f4d..9a59e47c7 100644 --- a/package/endpoint/docs/README.md +++ b/package/endpoint/docs/README.md @@ -572,7 +572,7 @@ sent by the endpoint. | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.pid_ns_ino | This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -745,7 +745,7 @@ sent by the endpoint. | process.entry_leader.user.id | Unique identifier of the user. | keyword | | process.entry_leader.user.name | Short name or login of the user. | keyword | | process.entry_leader.working_directory | The working directory of the process. | keyword | -| process.env_vars | Environment variables (`env_vars`) set at the time of the event. May be filtered to protect sensitive information. The field should not contain nested objects. All values should use `keyword`. | object | +| process.env_vars | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | process.group_leader.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | @@ -1147,7 +1147,7 @@ sent by the endpoint. | threat.enrichments.indicator.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | threat.enrichments.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | | threat.enrichments.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.enrichments.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED | keyword | +| threat.enrichments.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | | threat.enrichments.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | threat.enrichments.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | | threat.enrichments.indicator.provider | The name of the indicator's provider. | keyword | @@ -1161,7 +1161,7 @@ sent by the endpoint. | threat.enrichments.indicator.registry.value | Name of the value written. | keyword | | threat.enrichments.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | | threat.enrichments.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | -| threat.enrichments.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate | keyword | +| threat.enrichments.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | | threat.enrichments.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | threat.enrichments.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | threat.enrichments.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | @@ -1178,7 +1178,7 @@ sent by the endpoint. | threat.enrichments.indicator.url.username | Username of the request. | keyword | | threat.enrichments.indicator.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | | threat.enrichments.indicator.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| threat.enrichments.indicator.x509.issuer.country | List of country (C) codes | keyword | +| threat.enrichments.indicator.x509.issuer.country | List of country \(C) codes | keyword | | threat.enrichments.indicator.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | | threat.enrichments.indicator.x509.issuer.locality | List of locality names (L) | keyword | | threat.enrichments.indicator.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | @@ -1193,7 +1193,7 @@ sent by the endpoint. | threat.enrichments.indicator.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | | threat.enrichments.indicator.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | | threat.enrichments.indicator.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| threat.enrichments.indicator.x509.subject.country | List of country (C) code | keyword | +| threat.enrichments.indicator.x509.subject.country | List of country \(C) code | keyword | | threat.enrichments.indicator.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | | threat.enrichments.indicator.x509.subject.locality | List of locality names (L) | keyword | | threat.enrichments.indicator.x509.subject.organization | List of organizations (O) of subject. | keyword | @@ -1212,7 +1212,7 @@ sent by the endpoint. | threat.group.reference | The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. | keyword | | threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High | keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | | threat.indicator.description | Describes the type of action conducted by the threat. | keyword | | threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | | threat.indicator.file.Ext | Object for all custom defined fields to live in. | object | @@ -1350,7 +1350,7 @@ sent by the endpoint. | threat.indicator.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | | threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED | keyword | +| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | | threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | | threat.indicator.provider | The name of the indicator's provider. | keyword | @@ -1364,7 +1364,7 @@ sent by the endpoint. | threat.indicator.registry.value | Name of the value written. | keyword | | threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | | threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | | threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | @@ -1381,7 +1381,7 @@ sent by the endpoint. | threat.indicator.url.username | Username of the request. | keyword | | threat.indicator.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | | threat.indicator.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| threat.indicator.x509.issuer.country | List of country (C) codes | keyword | +| threat.indicator.x509.issuer.country | List of country \(C) codes | keyword | | threat.indicator.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | | threat.indicator.x509.issuer.locality | List of locality names (L) | keyword | | threat.indicator.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | @@ -1396,7 +1396,7 @@ sent by the endpoint. | threat.indicator.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | | threat.indicator.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | | threat.indicator.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| threat.indicator.x509.subject.country | List of country (C) code | keyword | +| threat.indicator.x509.subject.country | List of country \(C) code | keyword | | threat.indicator.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | | threat.indicator.x509.subject.locality | List of locality names (L) | keyword | | threat.indicator.x509.subject.organization | List of organizations (O) of subject. | keyword | @@ -1405,9 +1405,9 @@ sent by the endpoint. | threat.indicator.x509.version_number | Version of x509 format. | keyword | | threat.software.id | The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. | keyword | | threat.software.name | The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. | keyword | -| threat.software.platforms | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows While not required, you can use a MITRE ATT&CK® software platforms. | keyword | +| threat.software.platforms | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values. | keyword | | threat.software.reference | The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. | keyword | -| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool While not required, you can use a MITRE ATT&CK® software type. | keyword | +| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. | keyword | | threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | | threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | | threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | @@ -1569,7 +1569,7 @@ sent by the endpoint. | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | @@ -1757,7 +1757,7 @@ sent by the endpoint. | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | @@ -1892,7 +1892,7 @@ sent by the endpoint. | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | @@ -1908,7 +1908,7 @@ sent by the endpoint. | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | @@ -2054,7 +2054,7 @@ sent by the endpoint. | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.pid_ns_ino | This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -2164,7 +2164,7 @@ sent by the endpoint. | process.entry_leader.user.id | Unique identifier of the user. | keyword | | process.entry_leader.user.name | Short name or login of the user. | keyword | | process.entry_leader.working_directory | The working directory of the process. | keyword | -| process.env_vars | Environment variables (`env_vars`) set at the time of the event. May be filtered to protect sensitive information. The field should not contain nested objects. All values should use `keyword`. | object | +| process.env_vars | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | process.group.id | Unique identifier for the group on the system/platform. | keyword | @@ -2440,7 +2440,7 @@ sent by the endpoint. | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | @@ -2563,7 +2563,7 @@ sent by the endpoint. | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | @@ -2680,7 +2680,7 @@ sent by the endpoint. | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | @@ -2790,7 +2790,7 @@ Metrics documents contain performance information about the endpoint executable | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | @@ -2851,7 +2851,7 @@ Metrics documents contain performance information about the endpoint executable | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | diff --git a/schemas/v1/alerts/linux_event_model_event.yaml b/schemas/v1/alerts/linux_event_model_event.yaml index b6f4843be..ab30d48dc 100644 --- a/schemas/v1/alerts/linux_event_model_event.yaml +++ b/schemas/v1/alerts/linux_event_model_event.yaml @@ -480,7 +480,6 @@ process.entry_leader.entry_meta.source.ip: short: IP address of the source. type: ip process.entry_leader.entry_meta.type: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-entry-meta-type description: 'The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console @@ -539,7 +538,6 @@ process.entry_leader.group.name: short: Name of the group. type: keyword process.entry_leader.interactive: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-interactive description: 'Whether the process is connected to an interactive shell. @@ -733,7 +731,6 @@ process.entry_leader.real_user.name: short: Short name or login of the user. type: keyword process.entry_leader.same_as_process: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as the top level process. @@ -847,7 +844,6 @@ process.entry_leader.supplemental_groups.name: short: Name of the group. type: keyword process.entry_leader.tty: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -859,7 +855,6 @@ process.entry_leader.tty: short: Information about the controlling TTY device. type: object process.entry_leader.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -874,7 +869,6 @@ process.entry_leader.tty.char_device.major: short: The TTY character device's major number. type: long process.entry_leader.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ @@ -941,17 +935,19 @@ process.entry_leader.working_directory: process.env_vars: beta: This field is beta and subject to change. dashed_name: process-env-vars - description: 'Environment variables (`env_vars`) set at the time of the event. May - be filtered to protect sensitive information. + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. - The field should not contain nested objects. All values should use `keyword`.' - example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}' + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' flat_name: process.env_vars + ignore_above: 1024 level: extended name: env_vars - normalize: [] - short: Environment variables set at the time of the event. - type: object + normalize: + - array + short: Array of environment variable bindings. + type: keyword process.executable: dashed_name: process-executable description: Absolute path to the process executable. @@ -1093,7 +1089,6 @@ process.group_leader.group.name: short: Name of the group. type: keyword process.group_leader.interactive: - beta: This field is beta and subject to change. dashed_name: process-group-leader-interactive description: 'Whether the process is connected to an interactive shell. @@ -1201,7 +1196,6 @@ process.group_leader.real_user.name: short: Short name or login of the user. type: keyword process.group_leader.same_as_process: - beta: This field is beta and subject to change. dashed_name: process-group-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as the top level process. @@ -1315,7 +1309,6 @@ process.group_leader.supplemental_groups.name: short: Name of the group. type: keyword process.group_leader.tty: - beta: This field is beta and subject to change. dashed_name: process-group-leader-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -1327,7 +1320,6 @@ process.group_leader.tty: short: Information about the controlling TTY device. type: object process.group_leader.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-group-leader-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -1342,7 +1334,6 @@ process.group_leader.tty.char_device.major: short: The TTY character device's major number. type: long process.group_leader.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-group-leader-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ @@ -1407,7 +1398,6 @@ process.group_leader.working_directory: short: The working directory of the process. type: keyword process.interactive: - beta: This field is beta and subject to change. dashed_name: process-interactive description: 'Whether the process is connected to an interactive shell. @@ -1613,7 +1603,6 @@ process.parent.group_leader.start: short: The time the process started. type: date process.parent.interactive: - beta: This field is beta and subject to change. dashed_name: process-parent-interactive description: 'Whether the process is connected to an interactive shell. @@ -1804,7 +1793,6 @@ process.parent.supplemental_groups.name: short: Name of the group. type: keyword process.parent.tty: - beta: This field is beta and subject to change. dashed_name: process-parent-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -1816,7 +1804,6 @@ process.parent.tty: short: Information about the controlling TTY device. type: object process.parent.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-parent-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -1831,7 +1818,6 @@ process.parent.tty.char_device.major: short: The TTY character device's major number. type: long process.parent.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-parent-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ @@ -2179,7 +2165,6 @@ process.session_leader.group.name: short: Name of the group. type: keyword process.session_leader.interactive: - beta: This field is beta and subject to change. dashed_name: process-session-leader-interactive description: 'Whether the process is connected to an interactive shell. @@ -2373,7 +2358,6 @@ process.session_leader.real_user.name: short: Short name or login of the user. type: keyword process.session_leader.same_as_process: - beta: This field is beta and subject to change. dashed_name: process-session-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as the top level process. @@ -2487,7 +2471,6 @@ process.session_leader.supplemental_groups.name: short: Name of the group. type: keyword process.session_leader.tty: - beta: This field is beta and subject to change. dashed_name: process-session-leader-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -2499,7 +2482,6 @@ process.session_leader.tty: short: Information about the controlling TTY device. type: object process.session_leader.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-session-leader-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -2514,7 +2496,6 @@ process.session_leader.tty.char_device.major: short: The TTY character device's major number. type: long process.session_leader.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-session-leader-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ @@ -2611,7 +2592,6 @@ process.supplemental_groups.name: short: Name of the group. type: keyword process.tty: - beta: This field is beta and subject to change. dashed_name: process-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -2622,7 +2602,6 @@ process.tty: short: Information about the controlling TTY device. type: object process.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -2636,7 +2615,6 @@ process.tty.char_device.major: short: The TTY character device's major number. type: long process.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ diff --git a/schemas/v1/alerts/malware_event.yaml b/schemas/v1/alerts/malware_event.yaml index ba4b021b9..ef16ce54a 100644 --- a/schemas/v1/alerts/malware_event.yaml +++ b/schemas/v1/alerts/malware_event.yaml @@ -5312,19 +5312,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version @@ -7575,7 +7581,6 @@ source.ip: short: IP address of the source. type: ip threat.enrichments: - beta: This field is beta and subject to change. dashed_name: threat-enrichments description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -7587,7 +7592,6 @@ threat.enrichments: short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator @@ -9036,7 +9040,6 @@ threat.enrichments.indicator.file.uid: short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.enrichments.indicator.first_seen: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. @@ -9188,7 +9191,6 @@ threat.enrichments.indicator.geo.timezone: short: Time zone. type: keyword threat.enrichments.indicator.ip: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 @@ -9199,7 +9201,6 @@ threat.enrichments.indicator.ip: short: Indicator IP address type: ip threat.enrichments.indicator.last_seen: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. @@ -9211,11 +9212,14 @@ threat.enrichments.indicator.last_seen: short: Date/time indicator was last reported. type: date threat.enrichments.indicator.marking.tlp: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White + description: Traffic Light Protocol sharing markings. + example: WHITE + expected_values: + - WHITE + - GREEN + - AMBER + - RED flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended @@ -9224,7 +9228,6 @@ threat.enrichments.indicator.marking.tlp: short: Indicator TLP marking type: keyword threat.enrichments.indicator.modified_at: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-modified-at description: The date and time when intelligence source last modified information for this indicator. @@ -9236,7 +9239,6 @@ threat.enrichments.indicator.modified_at: short: Date/time indicator was last updated. type: date threat.enrichments.indicator.port: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 @@ -9247,7 +9249,6 @@ threat.enrichments.indicator.port: short: Indicator port type: long threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-provider description: The name of the indicator's provider. example: lrz_urlhaus @@ -9259,7 +9260,6 @@ threat.enrichments.indicator.provider: short: Indicator provider type: keyword threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-reference description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 @@ -9366,7 +9366,6 @@ threat.enrichments.indicator.registry.value: short: Name of the value written. type: keyword threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. @@ -9378,7 +9377,6 @@ threat.enrichments.indicator.scanner_stats: short: Scanner statistics type: long threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 @@ -9389,14 +9387,27 @@ threat.enrichments.indicator.sightings: short: Number of times indicator observed type: long threat.enrichments.indicator.type: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ - \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ - \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ - \ * windows-registry-key\n * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr + expected_values: + - autonomous-system + - artifact + - directory + - domain-name + - email-addr + - file + - ipv4-addr + - ipv6-addr + - mac-addr + - mutex + - port + - process + - software + - url + - user-account + - windows-registry-key + - x509-certificate flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended @@ -9652,7 +9663,7 @@ threat.enrichments.indicator.x509.issuer.common_name: type: keyword threat.enrichments.indicator.x509.issuer.country: dashed_name: threat-enrichments-indicator-x509-issuer-country - description: List of country (C) codes + description: List of country \(C) codes example: US flat_name: threat.enrichments.indicator.x509.issuer.country ignore_above: 1024 @@ -9661,7 +9672,7 @@ threat.enrichments.indicator.x509.issuer.country: normalize: - array original_fieldset: x509 - short: List of country (C) codes + short: List of country \(C) codes type: keyword threat.enrichments.indicator.x509.issuer.distinguished_name: dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name @@ -9842,7 +9853,7 @@ threat.enrichments.indicator.x509.subject.common_name: type: keyword threat.enrichments.indicator.x509.subject.country: dashed_name: threat-enrichments-indicator-x509-subject-country - description: List of country (C) code + description: List of country \(C) code example: US flat_name: threat.enrichments.indicator.x509.subject.country ignore_above: 1024 @@ -9851,7 +9862,7 @@ threat.enrichments.indicator.x509.subject.country: normalize: - array original_fieldset: x509 - short: List of country (C) code + short: List of country \(C) code type: keyword threat.enrichments.indicator.x509.subject.distinguished_name: dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name @@ -9929,7 +9940,6 @@ threat.enrichments.indicator.x509.version_number: short: Version of x509 format. type: keyword threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-atomic description: Identifies the atomic indicator value that matched a local environment endpoint or network event. @@ -9942,7 +9952,6 @@ threat.enrichments.matched.atomic: short: Matched indicator value type: keyword threat.enrichments.matched.field: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-field description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. @@ -9955,7 +9964,6 @@ threat.enrichments.matched.field: short: Matched indicator field type: keyword threat.enrichments.matched.id: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-id description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 @@ -9967,7 +9975,6 @@ threat.enrichments.matched.id: short: Matched indicator identifier type: keyword threat.enrichments.matched.index: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-index description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 @@ -9979,7 +9986,6 @@ threat.enrichments.matched.index: short: Matched indicator index type: keyword threat.enrichments.matched.type: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-type description: Identifies the type of match that caused the event to be enriched with the given indicator @@ -10088,11 +10094,16 @@ threat.indicator.as.organization.name: type: keyword threat.indicator.confidence: dashed_name: threat-indicator-confidence - description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the None/Low/Medium/High\_\ - scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence\ - \ scales may be added as custom fields.\nExpected values are:\n * Not Specified\n\ - \ * None\n * Low\n * Medium\n * High" + description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High + scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence + scales may be added as custom fields. example: Medium + expected_values: + - Not Specified + - None + - Low + - Medium + - High flat_name: threat.indicator.confidence ignore_above: 1024 level: extended @@ -11736,9 +11747,13 @@ threat.indicator.last_seen: type: date threat.indicator.marking.tlp: dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" + description: Traffic Light Protocol sharing markings. example: WHITE + expected_values: + - WHITE + - GREEN + - AMBER + - RED flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended @@ -11907,12 +11922,26 @@ threat.indicator.sightings: type: long threat.indicator.type: dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr + expected_values: + - autonomous-system + - artifact + - directory + - domain-name + - email-addr + - file + - ipv4-addr + - ipv6-addr + - mac-addr + - mutex + - port + - process + - software + - url + - user-account + - windows-registry-key + - x509-certificate flat_name: threat.indicator.type ignore_above: 1024 level: extended @@ -12168,7 +12197,7 @@ threat.indicator.x509.issuer.common_name: type: keyword threat.indicator.x509.issuer.country: dashed_name: threat-indicator-x509-issuer-country - description: List of country (C) codes + description: List of country \(C) codes example: US flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 @@ -12177,7 +12206,7 @@ threat.indicator.x509.issuer.country: normalize: - array original_fieldset: x509 - short: List of country (C) codes + short: List of country \(C) codes type: keyword threat.indicator.x509.issuer.distinguished_name: dashed_name: threat-indicator-x509-issuer-distinguished-name @@ -12358,7 +12387,7 @@ threat.indicator.x509.subject.common_name: type: keyword threat.indicator.x509.subject.country: dashed_name: threat-indicator-x509-subject-country - description: List of country (C) code + description: List of country \(C) code example: US flat_name: threat.indicator.x509.subject.country ignore_above: 1024 @@ -12367,7 +12396,7 @@ threat.indicator.x509.subject.country: normalize: - array original_fieldset: x509 - short: List of country (C) code + short: List of country \(C) code type: keyword threat.indicator.x509.subject.distinguished_name: dashed_name: threat-indicator-x509-subject-distinguished-name @@ -12473,11 +12502,20 @@ threat.software.name: threat.software.platforms: dashed_name: threat-software-platforms description: "The platforms of the software used by this threat to conduct behavior\ - \ commonly modeled using MITRE ATT&CK\xAE.\nRecommended Values:\n * AWS\n *\ - \ Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ - \ 365\n * SaaS\n * Windows\n\nWhile not required, you can use a MITRE ATT&CK\xAE\ - \ software platforms." + \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use MITRE\ + \ ATT&CK\xAE software platform values." example: '[ "Windows" ]' + expected_values: + - AWS + - Azure + - Azure AD + - GCP + - Linux + - macOS + - Network + - Office 365 + - SaaS + - Windows flat_name: threat.software.platforms ignore_above: 1024 level: extended @@ -12502,9 +12540,12 @@ threat.software.reference: threat.software.type: dashed_name: threat-software-type description: "The type of software used by this threat to conduct behavior commonly\ - \ modeled using MITRE ATT&CK\xAE.\nRecommended values\n * Malware\n * Tool\n\ - \n While not required, you can use a MITRE ATT&CK\xAE software type." + \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ + \ software type." example: Tool + expected_values: + - Malware + - Tool flat_name: threat.software.type ignore_above: 1024 level: extended diff --git a/schemas/v1/alerts/memory_protection_event.yaml b/schemas/v1/alerts/memory_protection_event.yaml index 2a9368105..122cc4517 100644 --- a/schemas/v1/alerts/memory_protection_event.yaml +++ b/schemas/v1/alerts/memory_protection_event.yaml @@ -5212,19 +5212,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version @@ -8989,7 +8995,6 @@ source.geo.timezone: short: Time zone. type: keyword threat.enrichments: - beta: This field is beta and subject to change. dashed_name: threat-enrichments description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -9001,7 +9006,6 @@ threat.enrichments: short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator @@ -10450,7 +10454,6 @@ threat.enrichments.indicator.file.uid: short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.enrichments.indicator.first_seen: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. @@ -10602,7 +10605,6 @@ threat.enrichments.indicator.geo.timezone: short: Time zone. type: keyword threat.enrichments.indicator.ip: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 @@ -10613,7 +10615,6 @@ threat.enrichments.indicator.ip: short: Indicator IP address type: ip threat.enrichments.indicator.last_seen: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. @@ -10625,11 +10626,14 @@ threat.enrichments.indicator.last_seen: short: Date/time indicator was last reported. type: date threat.enrichments.indicator.marking.tlp: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White + description: Traffic Light Protocol sharing markings. + example: WHITE + expected_values: + - WHITE + - GREEN + - AMBER + - RED flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended @@ -10638,7 +10642,6 @@ threat.enrichments.indicator.marking.tlp: short: Indicator TLP marking type: keyword threat.enrichments.indicator.modified_at: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-modified-at description: The date and time when intelligence source last modified information for this indicator. @@ -10650,7 +10653,6 @@ threat.enrichments.indicator.modified_at: short: Date/time indicator was last updated. type: date threat.enrichments.indicator.port: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 @@ -10661,7 +10663,6 @@ threat.enrichments.indicator.port: short: Indicator port type: long threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-provider description: The name of the indicator's provider. example: lrz_urlhaus @@ -10673,7 +10674,6 @@ threat.enrichments.indicator.provider: short: Indicator provider type: keyword threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-reference description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 @@ -10780,7 +10780,6 @@ threat.enrichments.indicator.registry.value: short: Name of the value written. type: keyword threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. @@ -10792,7 +10791,6 @@ threat.enrichments.indicator.scanner_stats: short: Scanner statistics type: long threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 @@ -10803,14 +10801,27 @@ threat.enrichments.indicator.sightings: short: Number of times indicator observed type: long threat.enrichments.indicator.type: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ - \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ - \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ - \ * windows-registry-key\n * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr + expected_values: + - autonomous-system + - artifact + - directory + - domain-name + - email-addr + - file + - ipv4-addr + - ipv6-addr + - mac-addr + - mutex + - port + - process + - software + - url + - user-account + - windows-registry-key + - x509-certificate flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended @@ -11066,7 +11077,7 @@ threat.enrichments.indicator.x509.issuer.common_name: type: keyword threat.enrichments.indicator.x509.issuer.country: dashed_name: threat-enrichments-indicator-x509-issuer-country - description: List of country (C) codes + description: List of country \(C) codes example: US flat_name: threat.enrichments.indicator.x509.issuer.country ignore_above: 1024 @@ -11075,7 +11086,7 @@ threat.enrichments.indicator.x509.issuer.country: normalize: - array original_fieldset: x509 - short: List of country (C) codes + short: List of country \(C) codes type: keyword threat.enrichments.indicator.x509.issuer.distinguished_name: dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name @@ -11256,7 +11267,7 @@ threat.enrichments.indicator.x509.subject.common_name: type: keyword threat.enrichments.indicator.x509.subject.country: dashed_name: threat-enrichments-indicator-x509-subject-country - description: List of country (C) code + description: List of country \(C) code example: US flat_name: threat.enrichments.indicator.x509.subject.country ignore_above: 1024 @@ -11265,7 +11276,7 @@ threat.enrichments.indicator.x509.subject.country: normalize: - array original_fieldset: x509 - short: List of country (C) code + short: List of country \(C) code type: keyword threat.enrichments.indicator.x509.subject.distinguished_name: dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name @@ -11343,7 +11354,6 @@ threat.enrichments.indicator.x509.version_number: short: Version of x509 format. type: keyword threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-atomic description: Identifies the atomic indicator value that matched a local environment endpoint or network event. @@ -11356,7 +11366,6 @@ threat.enrichments.matched.atomic: short: Matched indicator value type: keyword threat.enrichments.matched.field: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-field description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. @@ -11369,7 +11378,6 @@ threat.enrichments.matched.field: short: Matched indicator field type: keyword threat.enrichments.matched.id: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-id description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 @@ -11381,7 +11389,6 @@ threat.enrichments.matched.id: short: Matched indicator identifier type: keyword threat.enrichments.matched.index: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-index description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 @@ -11393,7 +11400,6 @@ threat.enrichments.matched.index: short: Matched indicator index type: keyword threat.enrichments.matched.type: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-type description: Identifies the type of match that caused the event to be enriched with the given indicator @@ -11502,11 +11508,16 @@ threat.indicator.as.organization.name: type: keyword threat.indicator.confidence: dashed_name: threat-indicator-confidence - description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the None/Low/Medium/High\_\ - scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence\ - \ scales may be added as custom fields.\nExpected values are:\n * Not Specified\n\ - \ * None\n * Low\n * Medium\n * High" + description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High + scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence + scales may be added as custom fields. example: Medium + expected_values: + - Not Specified + - None + - Low + - Medium + - High flat_name: threat.indicator.confidence ignore_above: 1024 level: extended @@ -13150,9 +13161,13 @@ threat.indicator.last_seen: type: date threat.indicator.marking.tlp: dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" + description: Traffic Light Protocol sharing markings. example: WHITE + expected_values: + - WHITE + - GREEN + - AMBER + - RED flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended @@ -13321,12 +13336,26 @@ threat.indicator.sightings: type: long threat.indicator.type: dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr + expected_values: + - autonomous-system + - artifact + - directory + - domain-name + - email-addr + - file + - ipv4-addr + - ipv6-addr + - mac-addr + - mutex + - port + - process + - software + - url + - user-account + - windows-registry-key + - x509-certificate flat_name: threat.indicator.type ignore_above: 1024 level: extended @@ -13582,7 +13611,7 @@ threat.indicator.x509.issuer.common_name: type: keyword threat.indicator.x509.issuer.country: dashed_name: threat-indicator-x509-issuer-country - description: List of country (C) codes + description: List of country \(C) codes example: US flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 @@ -13591,7 +13620,7 @@ threat.indicator.x509.issuer.country: normalize: - array original_fieldset: x509 - short: List of country (C) codes + short: List of country \(C) codes type: keyword threat.indicator.x509.issuer.distinguished_name: dashed_name: threat-indicator-x509-issuer-distinguished-name @@ -13772,7 +13801,7 @@ threat.indicator.x509.subject.common_name: type: keyword threat.indicator.x509.subject.country: dashed_name: threat-indicator-x509-subject-country - description: List of country (C) code + description: List of country \(C) code example: US flat_name: threat.indicator.x509.subject.country ignore_above: 1024 @@ -13781,7 +13810,7 @@ threat.indicator.x509.subject.country: normalize: - array original_fieldset: x509 - short: List of country (C) code + short: List of country \(C) code type: keyword threat.indicator.x509.subject.distinguished_name: dashed_name: threat-indicator-x509-subject-distinguished-name @@ -13887,11 +13916,20 @@ threat.software.name: threat.software.platforms: dashed_name: threat-software-platforms description: "The platforms of the software used by this threat to conduct behavior\ - \ commonly modeled using MITRE ATT&CK\xAE.\nRecommended Values:\n * AWS\n *\ - \ Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ - \ 365\n * SaaS\n * Windows\n\nWhile not required, you can use a MITRE ATT&CK\xAE\ - \ software platforms." + \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use MITRE\ + \ ATT&CK\xAE software platform values." example: '[ "Windows" ]' + expected_values: + - AWS + - Azure + - Azure AD + - GCP + - Linux + - macOS + - Network + - Office 365 + - SaaS + - Windows flat_name: threat.software.platforms ignore_above: 1024 level: extended @@ -13916,9 +13954,12 @@ threat.software.reference: threat.software.type: dashed_name: threat-software-type description: "The type of software used by this threat to conduct behavior commonly\ - \ modeled using MITRE ATT&CK\xAE.\nRecommended values\n * Malware\n * Tool\n\ - \n While not required, you can use a MITRE ATT&CK\xAE software type." + \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ + \ software type." example: Tool + expected_values: + - Malware + - Tool flat_name: threat.software.type ignore_above: 1024 level: extended diff --git a/schemas/v1/alerts/ransomware_event.yaml b/schemas/v1/alerts/ransomware_event.yaml index f9f4eb6c7..43a521313 100644 --- a/schemas/v1/alerts/ransomware_event.yaml +++ b/schemas/v1/alerts/ransomware_event.yaml @@ -2177,19 +2177,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version @@ -4292,7 +4298,6 @@ source.geo.timezone: short: Time zone. type: keyword threat.enrichments: - beta: This field is beta and subject to change. dashed_name: threat-enrichments description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -4304,7 +4309,6 @@ threat.enrichments: short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator @@ -5753,7 +5757,6 @@ threat.enrichments.indicator.file.uid: short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.enrichments.indicator.first_seen: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. @@ -5905,7 +5908,6 @@ threat.enrichments.indicator.geo.timezone: short: Time zone. type: keyword threat.enrichments.indicator.ip: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 @@ -5916,7 +5918,6 @@ threat.enrichments.indicator.ip: short: Indicator IP address type: ip threat.enrichments.indicator.last_seen: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. @@ -5928,11 +5929,14 @@ threat.enrichments.indicator.last_seen: short: Date/time indicator was last reported. type: date threat.enrichments.indicator.marking.tlp: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White + description: Traffic Light Protocol sharing markings. + example: WHITE + expected_values: + - WHITE + - GREEN + - AMBER + - RED flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended @@ -5941,7 +5945,6 @@ threat.enrichments.indicator.marking.tlp: short: Indicator TLP marking type: keyword threat.enrichments.indicator.modified_at: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-modified-at description: The date and time when intelligence source last modified information for this indicator. @@ -5953,7 +5956,6 @@ threat.enrichments.indicator.modified_at: short: Date/time indicator was last updated. type: date threat.enrichments.indicator.port: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 @@ -5964,7 +5966,6 @@ threat.enrichments.indicator.port: short: Indicator port type: long threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-provider description: The name of the indicator's provider. example: lrz_urlhaus @@ -5976,7 +5977,6 @@ threat.enrichments.indicator.provider: short: Indicator provider type: keyword threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-reference description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 @@ -6083,7 +6083,6 @@ threat.enrichments.indicator.registry.value: short: Name of the value written. type: keyword threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. @@ -6095,7 +6094,6 @@ threat.enrichments.indicator.scanner_stats: short: Scanner statistics type: long threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 @@ -6106,14 +6104,27 @@ threat.enrichments.indicator.sightings: short: Number of times indicator observed type: long threat.enrichments.indicator.type: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ - \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ - \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ - \ * windows-registry-key\n * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr + expected_values: + - autonomous-system + - artifact + - directory + - domain-name + - email-addr + - file + - ipv4-addr + - ipv6-addr + - mac-addr + - mutex + - port + - process + - software + - url + - user-account + - windows-registry-key + - x509-certificate flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended @@ -6369,7 +6380,7 @@ threat.enrichments.indicator.x509.issuer.common_name: type: keyword threat.enrichments.indicator.x509.issuer.country: dashed_name: threat-enrichments-indicator-x509-issuer-country - description: List of country (C) codes + description: List of country \(C) codes example: US flat_name: threat.enrichments.indicator.x509.issuer.country ignore_above: 1024 @@ -6378,7 +6389,7 @@ threat.enrichments.indicator.x509.issuer.country: normalize: - array original_fieldset: x509 - short: List of country (C) codes + short: List of country \(C) codes type: keyword threat.enrichments.indicator.x509.issuer.distinguished_name: dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name @@ -6559,7 +6570,7 @@ threat.enrichments.indicator.x509.subject.common_name: type: keyword threat.enrichments.indicator.x509.subject.country: dashed_name: threat-enrichments-indicator-x509-subject-country - description: List of country (C) code + description: List of country \(C) code example: US flat_name: threat.enrichments.indicator.x509.subject.country ignore_above: 1024 @@ -6568,7 +6579,7 @@ threat.enrichments.indicator.x509.subject.country: normalize: - array original_fieldset: x509 - short: List of country (C) code + short: List of country \(C) code type: keyword threat.enrichments.indicator.x509.subject.distinguished_name: dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name @@ -6646,7 +6657,6 @@ threat.enrichments.indicator.x509.version_number: short: Version of x509 format. type: keyword threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-atomic description: Identifies the atomic indicator value that matched a local environment endpoint or network event. @@ -6659,7 +6669,6 @@ threat.enrichments.matched.atomic: short: Matched indicator value type: keyword threat.enrichments.matched.field: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-field description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. @@ -6672,7 +6681,6 @@ threat.enrichments.matched.field: short: Matched indicator field type: keyword threat.enrichments.matched.id: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-id description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 @@ -6684,7 +6692,6 @@ threat.enrichments.matched.id: short: Matched indicator identifier type: keyword threat.enrichments.matched.index: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-index description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 @@ -6696,7 +6703,6 @@ threat.enrichments.matched.index: short: Matched indicator index type: keyword threat.enrichments.matched.type: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-type description: Identifies the type of match that caused the event to be enriched with the given indicator @@ -6805,11 +6811,16 @@ threat.indicator.as.organization.name: type: keyword threat.indicator.confidence: dashed_name: threat-indicator-confidence - description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the None/Low/Medium/High\_\ - scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence\ - \ scales may be added as custom fields.\nExpected values are:\n * Not Specified\n\ - \ * None\n * Low\n * Medium\n * High" + description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High + scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence + scales may be added as custom fields. example: Medium + expected_values: + - Not Specified + - None + - Low + - Medium + - High flat_name: threat.indicator.confidence ignore_above: 1024 level: extended @@ -8453,9 +8464,13 @@ threat.indicator.last_seen: type: date threat.indicator.marking.tlp: dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" + description: Traffic Light Protocol sharing markings. example: WHITE + expected_values: + - WHITE + - GREEN + - AMBER + - RED flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended @@ -8624,12 +8639,26 @@ threat.indicator.sightings: type: long threat.indicator.type: dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr + expected_values: + - autonomous-system + - artifact + - directory + - domain-name + - email-addr + - file + - ipv4-addr + - ipv6-addr + - mac-addr + - mutex + - port + - process + - software + - url + - user-account + - windows-registry-key + - x509-certificate flat_name: threat.indicator.type ignore_above: 1024 level: extended @@ -8885,7 +8914,7 @@ threat.indicator.x509.issuer.common_name: type: keyword threat.indicator.x509.issuer.country: dashed_name: threat-indicator-x509-issuer-country - description: List of country (C) codes + description: List of country \(C) codes example: US flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 @@ -8894,7 +8923,7 @@ threat.indicator.x509.issuer.country: normalize: - array original_fieldset: x509 - short: List of country (C) codes + short: List of country \(C) codes type: keyword threat.indicator.x509.issuer.distinguished_name: dashed_name: threat-indicator-x509-issuer-distinguished-name @@ -9075,7 +9104,7 @@ threat.indicator.x509.subject.common_name: type: keyword threat.indicator.x509.subject.country: dashed_name: threat-indicator-x509-subject-country - description: List of country (C) code + description: List of country \(C) code example: US flat_name: threat.indicator.x509.subject.country ignore_above: 1024 @@ -9084,7 +9113,7 @@ threat.indicator.x509.subject.country: normalize: - array original_fieldset: x509 - short: List of country (C) code + short: List of country \(C) code type: keyword threat.indicator.x509.subject.distinguished_name: dashed_name: threat-indicator-x509-subject-distinguished-name @@ -9190,11 +9219,20 @@ threat.software.name: threat.software.platforms: dashed_name: threat-software-platforms description: "The platforms of the software used by this threat to conduct behavior\ - \ commonly modeled using MITRE ATT&CK\xAE.\nRecommended Values:\n * AWS\n *\ - \ Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ - \ 365\n * SaaS\n * Windows\n\nWhile not required, you can use a MITRE ATT&CK\xAE\ - \ software platforms." + \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use MITRE\ + \ ATT&CK\xAE software platform values." example: '[ "Windows" ]' + expected_values: + - AWS + - Azure + - Azure AD + - GCP + - Linux + - macOS + - Network + - Office 365 + - SaaS + - Windows flat_name: threat.software.platforms ignore_above: 1024 level: extended @@ -9219,9 +9257,12 @@ threat.software.reference: threat.software.type: dashed_name: threat-software-type description: "The type of software used by this threat to conduct behavior commonly\ - \ modeled using MITRE ATT&CK\xAE.\nRecommended values\n * Malware\n * Tool\n\ - \n While not required, you can use a MITRE ATT&CK\xAE software type." + \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ + \ software type." example: Tool + expected_values: + - Malware + - Tool flat_name: threat.software.type ignore_above: 1024 level: extended diff --git a/schemas/v1/alerts/rule_detection_event.yaml b/schemas/v1/alerts/rule_detection_event.yaml index 6df0b5f0e..8df1e4198 100644 --- a/schemas/v1/alerts/rule_detection_event.yaml +++ b/schemas/v1/alerts/rule_detection_event.yaml @@ -478,7 +478,6 @@ source.geo.timezone: short: Time zone. type: keyword threat.enrichments: - beta: This field is beta and subject to change. dashed_name: threat-enrichments description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -490,7 +489,6 @@ threat.enrichments: short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator @@ -1939,7 +1937,6 @@ threat.enrichments.indicator.file.uid: short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.enrichments.indicator.first_seen: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. @@ -2091,7 +2088,6 @@ threat.enrichments.indicator.geo.timezone: short: Time zone. type: keyword threat.enrichments.indicator.ip: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 @@ -2102,7 +2098,6 @@ threat.enrichments.indicator.ip: short: Indicator IP address type: ip threat.enrichments.indicator.last_seen: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. @@ -2114,11 +2109,14 @@ threat.enrichments.indicator.last_seen: short: Date/time indicator was last reported. type: date threat.enrichments.indicator.marking.tlp: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White + description: Traffic Light Protocol sharing markings. + example: WHITE + expected_values: + - WHITE + - GREEN + - AMBER + - RED flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended @@ -2127,7 +2125,6 @@ threat.enrichments.indicator.marking.tlp: short: Indicator TLP marking type: keyword threat.enrichments.indicator.modified_at: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-modified-at description: The date and time when intelligence source last modified information for this indicator. @@ -2139,7 +2136,6 @@ threat.enrichments.indicator.modified_at: short: Date/time indicator was last updated. type: date threat.enrichments.indicator.port: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 @@ -2150,7 +2146,6 @@ threat.enrichments.indicator.port: short: Indicator port type: long threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-provider description: The name of the indicator's provider. example: lrz_urlhaus @@ -2162,7 +2157,6 @@ threat.enrichments.indicator.provider: short: Indicator provider type: keyword threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-reference description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 @@ -2269,7 +2263,6 @@ threat.enrichments.indicator.registry.value: short: Name of the value written. type: keyword threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. @@ -2281,7 +2274,6 @@ threat.enrichments.indicator.scanner_stats: short: Scanner statistics type: long threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 @@ -2292,14 +2284,27 @@ threat.enrichments.indicator.sightings: short: Number of times indicator observed type: long threat.enrichments.indicator.type: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ - \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ - \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ - \ * windows-registry-key\n * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr + expected_values: + - autonomous-system + - artifact + - directory + - domain-name + - email-addr + - file + - ipv4-addr + - ipv6-addr + - mac-addr + - mutex + - port + - process + - software + - url + - user-account + - windows-registry-key + - x509-certificate flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended @@ -2555,7 +2560,7 @@ threat.enrichments.indicator.x509.issuer.common_name: type: keyword threat.enrichments.indicator.x509.issuer.country: dashed_name: threat-enrichments-indicator-x509-issuer-country - description: List of country (C) codes + description: List of country \(C) codes example: US flat_name: threat.enrichments.indicator.x509.issuer.country ignore_above: 1024 @@ -2564,7 +2569,7 @@ threat.enrichments.indicator.x509.issuer.country: normalize: - array original_fieldset: x509 - short: List of country (C) codes + short: List of country \(C) codes type: keyword threat.enrichments.indicator.x509.issuer.distinguished_name: dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name @@ -2745,7 +2750,7 @@ threat.enrichments.indicator.x509.subject.common_name: type: keyword threat.enrichments.indicator.x509.subject.country: dashed_name: threat-enrichments-indicator-x509-subject-country - description: List of country (C) code + description: List of country \(C) code example: US flat_name: threat.enrichments.indicator.x509.subject.country ignore_above: 1024 @@ -2754,7 +2759,7 @@ threat.enrichments.indicator.x509.subject.country: normalize: - array original_fieldset: x509 - short: List of country (C) code + short: List of country \(C) code type: keyword threat.enrichments.indicator.x509.subject.distinguished_name: dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name @@ -2832,7 +2837,6 @@ threat.enrichments.indicator.x509.version_number: short: Version of x509 format. type: keyword threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-atomic description: Identifies the atomic indicator value that matched a local environment endpoint or network event. @@ -2845,7 +2849,6 @@ threat.enrichments.matched.atomic: short: Matched indicator value type: keyword threat.enrichments.matched.field: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-field description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. @@ -2858,7 +2861,6 @@ threat.enrichments.matched.field: short: Matched indicator field type: keyword threat.enrichments.matched.id: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-id description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 @@ -2870,7 +2872,6 @@ threat.enrichments.matched.id: short: Matched indicator identifier type: keyword threat.enrichments.matched.index: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-index description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 @@ -2882,7 +2883,6 @@ threat.enrichments.matched.index: short: Matched indicator index type: keyword threat.enrichments.matched.type: - beta: This field is beta and subject to change. dashed_name: threat-enrichments-matched-type description: Identifies the type of match that caused the event to be enriched with the given indicator @@ -2991,11 +2991,16 @@ threat.indicator.as.organization.name: type: keyword threat.indicator.confidence: dashed_name: threat-indicator-confidence - description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the None/Low/Medium/High\_\ - scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence\ - \ scales may be added as custom fields.\nExpected values are:\n * Not Specified\n\ - \ * None\n * Low\n * Medium\n * High" + description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High + scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence + scales may be added as custom fields. example: Medium + expected_values: + - Not Specified + - None + - Low + - Medium + - High flat_name: threat.indicator.confidence ignore_above: 1024 level: extended @@ -4639,9 +4644,13 @@ threat.indicator.last_seen: type: date threat.indicator.marking.tlp: dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" + description: Traffic Light Protocol sharing markings. example: WHITE + expected_values: + - WHITE + - GREEN + - AMBER + - RED flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended @@ -4810,12 +4819,26 @@ threat.indicator.sightings: type: long threat.indicator.type: dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x509-certificate" + description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr + expected_values: + - autonomous-system + - artifact + - directory + - domain-name + - email-addr + - file + - ipv4-addr + - ipv6-addr + - mac-addr + - mutex + - port + - process + - software + - url + - user-account + - windows-registry-key + - x509-certificate flat_name: threat.indicator.type ignore_above: 1024 level: extended @@ -5071,7 +5094,7 @@ threat.indicator.x509.issuer.common_name: type: keyword threat.indicator.x509.issuer.country: dashed_name: threat-indicator-x509-issuer-country - description: List of country (C) codes + description: List of country \(C) codes example: US flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 @@ -5080,7 +5103,7 @@ threat.indicator.x509.issuer.country: normalize: - array original_fieldset: x509 - short: List of country (C) codes + short: List of country \(C) codes type: keyword threat.indicator.x509.issuer.distinguished_name: dashed_name: threat-indicator-x509-issuer-distinguished-name @@ -5261,7 +5284,7 @@ threat.indicator.x509.subject.common_name: type: keyword threat.indicator.x509.subject.country: dashed_name: threat-indicator-x509-subject-country - description: List of country (C) code + description: List of country \(C) code example: US flat_name: threat.indicator.x509.subject.country ignore_above: 1024 @@ -5270,7 +5293,7 @@ threat.indicator.x509.subject.country: normalize: - array original_fieldset: x509 - short: List of country (C) code + short: List of country \(C) code type: keyword threat.indicator.x509.subject.distinguished_name: dashed_name: threat-indicator-x509-subject-distinguished-name @@ -5376,11 +5399,20 @@ threat.software.name: threat.software.platforms: dashed_name: threat-software-platforms description: "The platforms of the software used by this threat to conduct behavior\ - \ commonly modeled using MITRE ATT&CK\xAE.\nRecommended Values:\n * AWS\n *\ - \ Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ - \ 365\n * SaaS\n * Windows\n\nWhile not required, you can use a MITRE ATT&CK\xAE\ - \ software platforms." + \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use MITRE\ + \ ATT&CK\xAE software platform values." example: '[ "Windows" ]' + expected_values: + - AWS + - Azure + - Azure AD + - GCP + - Linux + - macOS + - Network + - Office 365 + - SaaS + - Windows flat_name: threat.software.platforms ignore_above: 1024 level: extended @@ -5405,9 +5437,12 @@ threat.software.reference: threat.software.type: dashed_name: threat-software-type description: "The type of software used by this threat to conduct behavior commonly\ - \ modeled using MITRE ATT&CK\xAE.\nRecommended values\n * Malware\n * Tool\n\ - \n While not required, you can use a MITRE ATT&CK\xAE software type." + \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ + \ software type." example: Tool + expected_values: + - Malware + - Tool flat_name: threat.software.type ignore_above: 1024 level: extended diff --git a/schemas/v1/file/file.yaml b/schemas/v1/file/file.yaml index 092fc1a35..033fafa6f 100644 --- a/schemas/v1/file/file.yaml +++ b/schemas/v1/file/file.yaml @@ -1915,19 +1915,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version diff --git a/schemas/v1/file/unquarantine.yaml b/schemas/v1/file/unquarantine.yaml index 78a772642..f578d3cc6 100644 --- a/schemas/v1/file/unquarantine.yaml +++ b/schemas/v1/file/unquarantine.yaml @@ -1123,19 +1123,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version diff --git a/schemas/v1/library/library.yaml b/schemas/v1/library/library.yaml index 7829e4093..43d9161c0 100644 --- a/schemas/v1/library/library.yaml +++ b/schemas/v1/library/library.yaml @@ -1921,19 +1921,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version diff --git a/schemas/v1/metadata/metadata.yaml b/schemas/v1/metadata/metadata.yaml index db390f261..11a0926ae 100644 --- a/schemas/v1/metadata/metadata.yaml +++ b/schemas/v1/metadata/metadata.yaml @@ -1085,19 +1085,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version diff --git a/schemas/v1/metrics/metrics.yaml b/schemas/v1/metrics/metrics.yaml index 5eae7b894..860fc5007 100644 --- a/schemas/v1/metrics/metrics.yaml +++ b/schemas/v1/metrics/metrics.yaml @@ -2004,19 +2004,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version diff --git a/schemas/v1/network/network.yaml b/schemas/v1/network/network.yaml index 37d7a6165..0cc96ab8d 100644 --- a/schemas/v1/network/network.yaml +++ b/schemas/v1/network/network.yaml @@ -1397,19 +1397,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version @@ -1594,18 +1600,28 @@ network.community_id: type: keyword network.direction: dashed_name: network-direction - description: "Direction of the network traffic.\nRecommended values are:\n * ingress\n\ - \ * egress\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\ - \nWhen mapping events from a host-based monitoring context, populate this field\ - \ from the host's point of view, using the values \"ingress\" or \"egress\".\n\ - When mapping events from a network or perimeter-based monitoring context, populate\ - \ this field from the point of view of the network perimeter, using the values\ - \ \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\"\ - \ is not crossing perimeter boundaries, and is meant to describe communication\ - \ between two hosts within the perimeter. Note also that \"external\" is meant\ - \ to describe traffic between two hosts that are external to the perimeter. This\ - \ could for example be useful for ISPs or VPN service providers." + description: 'Direction of the network traffic. + + When mapping events from a host-based monitoring context, populate this field + from the host''s point of view, using the values "ingress" or "egress". + + When mapping events from a network or perimeter-based monitoring context, populate + this field from the point of view of the network perimeter, using the values "inbound", + "outbound", "internal" or "external". + + Note that "internal" is not crossing perimeter boundaries, and is meant to describe + communication between two hosts within the perimeter. Note also that "external" + is meant to describe traffic between two hosts that are external to the perimeter. + This could for example be useful for ISPs or VPN service providers.' example: inbound + expected_values: + - ingress + - egress + - inbound + - outbound + - internal + - external + - unknown flat_name: network.direction ignore_above: 1024 level: core diff --git a/schemas/v1/policy/policy.yaml b/schemas/v1/policy/policy.yaml index 6244d3a6d..77cfe6ac9 100644 --- a/schemas/v1/policy/policy.yaml +++ b/schemas/v1/policy/policy.yaml @@ -1631,19 +1631,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version diff --git a/schemas/v1/process/linux_event_model_event.yaml b/schemas/v1/process/linux_event_model_event.yaml index b624cebef..1f5aba802 100644 --- a/schemas/v1/process/linux_event_model_event.yaml +++ b/schemas/v1/process/linux_event_model_event.yaml @@ -568,7 +568,6 @@ process.entry_leader.entry_meta.source.ip: short: IP address of the source. type: ip process.entry_leader.entry_meta.type: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-entry-meta-type description: 'The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console @@ -627,7 +626,6 @@ process.entry_leader.group.name: short: Name of the group. type: keyword process.entry_leader.interactive: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-interactive description: 'Whether the process is connected to an interactive shell. @@ -821,7 +819,6 @@ process.entry_leader.real_user.name: short: Short name or login of the user. type: keyword process.entry_leader.same_as_process: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as the top level process. @@ -935,7 +932,6 @@ process.entry_leader.supplemental_groups.name: short: Name of the group. type: keyword process.entry_leader.tty: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -947,7 +943,6 @@ process.entry_leader.tty: short: Information about the controlling TTY device. type: object process.entry_leader.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -962,7 +957,6 @@ process.entry_leader.tty.char_device.major: short: The TTY character device's major number. type: long process.entry_leader.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-entry-leader-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ @@ -1029,17 +1023,19 @@ process.entry_leader.working_directory: process.env_vars: beta: This field is beta and subject to change. dashed_name: process-env-vars - description: 'Environment variables (`env_vars`) set at the time of the event. May - be filtered to protect sensitive information. + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. - The field should not contain nested objects. All values should use `keyword`.' - example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}' + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' flat_name: process.env_vars + ignore_above: 1024 level: extended name: env_vars - normalize: [] - short: Environment variables set at the time of the event. - type: object + normalize: + - array + short: Array of environment variable bindings. + type: keyword process.executable: dashed_name: process-executable description: Absolute path to the process executable. @@ -1181,7 +1177,6 @@ process.group_leader.group.name: short: Name of the group. type: keyword process.group_leader.interactive: - beta: This field is beta and subject to change. dashed_name: process-group-leader-interactive description: 'Whether the process is connected to an interactive shell. @@ -1289,7 +1284,6 @@ process.group_leader.real_user.name: short: Short name or login of the user. type: keyword process.group_leader.same_as_process: - beta: This field is beta and subject to change. dashed_name: process-group-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as the top level process. @@ -1403,7 +1397,6 @@ process.group_leader.supplemental_groups.name: short: Name of the group. type: keyword process.group_leader.tty: - beta: This field is beta and subject to change. dashed_name: process-group-leader-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -1415,7 +1408,6 @@ process.group_leader.tty: short: Information about the controlling TTY device. type: object process.group_leader.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-group-leader-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -1430,7 +1422,6 @@ process.group_leader.tty.char_device.major: short: The TTY character device's major number. type: long process.group_leader.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-group-leader-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ @@ -1495,7 +1486,6 @@ process.group_leader.working_directory: short: The working directory of the process. type: keyword process.interactive: - beta: This field is beta and subject to change. dashed_name: process-interactive description: 'Whether the process is connected to an interactive shell. @@ -1764,7 +1754,6 @@ process.parent.group_leader.start: short: The time the process started. type: date process.parent.interactive: - beta: This field is beta and subject to change. dashed_name: process-parent-interactive description: 'Whether the process is connected to an interactive shell. @@ -1955,7 +1944,6 @@ process.parent.supplemental_groups.name: short: Name of the group. type: keyword process.parent.tty: - beta: This field is beta and subject to change. dashed_name: process-parent-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -1967,7 +1955,6 @@ process.parent.tty: short: Information about the controlling TTY device. type: object process.parent.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-parent-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -1982,7 +1969,6 @@ process.parent.tty.char_device.major: short: The TTY character device's major number. type: long process.parent.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-parent-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ @@ -2330,7 +2316,6 @@ process.session_leader.group.name: short: Name of the group. type: keyword process.session_leader.interactive: - beta: This field is beta and subject to change. dashed_name: process-session-leader-interactive description: 'Whether the process is connected to an interactive shell. @@ -2524,7 +2509,6 @@ process.session_leader.real_user.name: short: Short name or login of the user. type: keyword process.session_leader.same_as_process: - beta: This field is beta and subject to change. dashed_name: process-session-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as the top level process. @@ -2638,7 +2622,6 @@ process.session_leader.supplemental_groups.name: short: Name of the group. type: keyword process.session_leader.tty: - beta: This field is beta and subject to change. dashed_name: process-session-leader-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -2650,7 +2633,6 @@ process.session_leader.tty: short: Information about the controlling TTY device. type: object process.session_leader.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-session-leader-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -2665,7 +2647,6 @@ process.session_leader.tty.char_device.major: short: The TTY character device's major number. type: long process.session_leader.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-session-leader-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ @@ -2762,7 +2743,6 @@ process.supplemental_groups.name: short: Name of the group. type: keyword process.tty: - beta: This field is beta and subject to change. dashed_name: process-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. @@ -2773,7 +2753,6 @@ process.tty: short: Information about the controlling TTY device. type: object process.tty.char_device.major: - beta: This field is beta and subject to change. dashed_name: process-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined @@ -2787,7 +2766,6 @@ process.tty.char_device.major: short: The TTY character device's major number. type: long process.tty.char_device.minor: - beta: This field is beta and subject to change. dashed_name: process-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ diff --git a/schemas/v1/process/process.yaml b/schemas/v1/process/process.yaml index 440810344..31db2860a 100644 --- a/schemas/v1/process/process.yaml +++ b/schemas/v1/process/process.yaml @@ -1145,19 +1145,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version diff --git a/schemas/v1/registry/registry.yaml b/schemas/v1/registry/registry.yaml index ab7c5692b..3b8530089 100644 --- a/schemas/v1/registry/registry.yaml +++ b/schemas/v1/registry/registry.yaml @@ -1188,19 +1188,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version diff --git a/schemas/v1/security/security.yaml b/schemas/v1/security/security.yaml index e6619ab4c..964fb34b5 100644 --- a/schemas/v1/security/security.yaml +++ b/schemas/v1/security/security.yaml @@ -1145,19 +1145,25 @@ host.os.type: description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS you''re dealing with is not in the list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose its addition.' + If the OS you''re dealing with is not listed as an expected value, the field should + not be populated. Please let us know by opening an issue with ECS, to propose + its addition.' example: macos + expected_values: + - linux + - macos + - unix + - windows + - ios + - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or + android).' type: keyword host.os.version: dashed_name: host-os-version